Demilitarized Zone (DMZ)

Return to Glossary

A Demilitarized Zone (DMZ) in computer networking is a physical or logical subnetwork that separates an internal local area network (LAN) from other untrusted networks, typically the internet. The primary purpose of a DMZ is to add an extra layer of security to an organization's internal network by acting as a buffer zone where external-facing services can be accessed.

The DMZ contains resources such as web servers, mail servers, FTP servers, and other public-facing services that need to be accessible from the internet. These resources are isolated from the internal network to minimize the risk of a breach impacting the more sensitive internal systems.

In a typical DMZ setup, two firewalls are used. The first firewall sits between the external network (the internet) and the DMZ, controlling and filtering incoming traffic. The second firewall is positioned between the DMZ and the internal network, providing another layer of security. This configuration ensures that even if an attacker manages to infiltrate a server in the DMZ, the internal network remains protected.

There are several key components of a DMZ:

  1. External Firewall: Filters traffic from the internet to the DMZ, allowing only specific types of traffic (like web requests or email) to pass through.
  2. Internal Firewall: Filters traffic between the DMZ and the internal network, typically allowing only necessary communication.
  3. Public Services: Servers and services that need to be accessible from the internet, such as web servers, are placed within the DMZ.
  4. Monitoring and Logging: Continuous monitoring and logging of the traffic within the DMZ help in detecting and responding to suspicious activities.

One common implementation of a DMZ is the use of a "three-leg firewall," where a single firewall device has three network interfaces: one connected to the internet, one to the internal network, and one to the DMZ. This setup simplifies the configuration while maintaining a high level of security.

A DMZ is an essential part of a comprehensive security strategy, providing a controlled environment for public-facing services and reducing the potential attack surface for the more sensitive internal network. By isolating these services, an organization can better manage risks and protect its critical data and systems.

WireGuard is a registered trademark of Jason A. Donenfeld.

Star us on GitHub
Can we use Cookies?  (see  Privacy Policy).
PreferencesReject
Accept