DMZ is a Demilitarized zone, is a physical or logical sub-network that separates an internal local area network (LAN) from other untrusted networks, usually the Internet.
De-Militarized Zone (DMZ) is a special local network configuration designed to improve security by segregating computers on each side of a firewall.
A DMZ can be set up either on home or business networks, although their usefulness in homes is limited.
In a home network, computers and other devices normally are configured into a local area network (LAN) connected to the Internet via a broadband router.
The router serves as a firewall, selectively filtering traffic from the outside to help ensure only legitimate messages pass through.
A DMZ divides splits such a network into two parts by taking one or more devices inside the firewall and moving them to the outside. This configuration better protects the inside devices from possible attacks by the outside (and vice versa).
A DMZ is useful in homes when the network is running a server. The server could be set up in a DMZ so that Internet users could reach it via its own public IP address, and the rest of the home network was protected from attacks in cases where the server was compromised.
There are various ways to design a network with a DMZ. The two most common methods are with a single or dual firewalls.
These architectures can be expanded to create very complex architectures depending on the network requirements.
A single firewall with at least three network interfaces can be used to create a network architecture containing a DMZ.
The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface.
Different sets of firewall rules for traffic between the Internet and the DMZ, the LAN and the DMZ, and the LAN and the Internet tightly control which ports and types of traffic are allowed into the DMZ from the Internet, limit connectivity to specific hosts in the internal network, and prevent unrequested connections either to the Internet or the internal LAN from the DMZ.
A more secure approach is to use two firewalls to create a DMZ. The first firewall also called the perimeter firewall is configured to allow traffic destined to the DMZ only.
The second or internal firewall only allows traffic from the DMZ to the internal network. This is considered more secure since two devices would need to be compromised before an attacker could access the internal LAN.