Demilitarized Zone (DMZ)

A DMZ, short for demilitarized zone, is a network (physical or logical) used to connect hosts that provide an interface to an untrusted external network – usually the internet – while keeping the internal, private network – usually the corporate network – separated and isolated form the external network.

As systems that are most vulnerable to attack are those that provide services to users outside of the local area network, such as e-mail, Web and Domain Name System (DNS) servers, they are ‘quarantined’ inside a DMZ, from where they have limited access to the private network. Hosts in the DMZ can communicate with both the internal and external network, but communications with internal network hosts is tightly restricted.

The DMZ is isolated using a security gateway (i.e. firewall) to filter traffic between the DMZ and the private network. The DMZ itself also has a security gateway in front of it to filter incoming traffic from the external network.

The ultimate goal of a DMZ is to allow access to resources from untrusted networks while keeping the private network secured. Resources commonly placed in the DMZ include, Web servers, Mail servers, FTP servers, and VoIP servers.

Frequently Asked Questions
Are DMZs safe?

DMZ is an unsafe network that allows hosts/systems on it to be accessed from an untrusted external network, while keeping other hosts/systems on a private network isolated and secured from the external network.

What is the purpose of a demilitarized zone on a network?

The purpose of the DMZ is to enable access to some hosts/systems from an external, untrusted network (i.e. internet), while securing the rest of the network – the private network – behind a firewall.

What is a DMZ server?

DMZ server is a server that resides in the DMZ and typically used to externalize resources to a public network (i.e. the Internet).