A Demilitarized Zone (DMZ) in computer networking is a physical or logical subnetwork that separates an internal local area network (LAN) from other untrusted networks, typically the internet. The primary purpose of a DMZ is to add an extra layer of security to an organization's internal network by acting as a buffer zone where external-facing services can be accessed.
The DMZ contains resources such as web servers, mail servers, FTP servers, and other public-facing services that need to be accessible from the internet. These resources are isolated from the internal network to minimize the risk of a breach impacting the more sensitive internal systems.
In a typical DMZ setup, two firewalls are used. The first firewall sits between the external network (the internet) and the DMZ, controlling and filtering incoming traffic. The second firewall is positioned between the DMZ and the internal network, providing another layer of security. This configuration ensures that even if an attacker manages to infiltrate a server in the DMZ, the internal network remains protected.
There are several key components of a DMZ:
One common implementation of a DMZ is the use of a "three-leg firewall," where a single firewall device has three network interfaces: one connected to the internet, one to the internal network, and one to the DMZ. This setup simplifies the configuration while maintaining a high level of security.
A DMZ is an essential part of a comprehensive security strategy, providing a controlled environment for public-facing services and reducing the potential attack surface for the more sensitive internal network. By isolating these services, an organization can better manage risks and protect its critical data and systems.