DMZ is a security concept.

It comprises the separation of your network into at least two networks: the internal LAN and the DMZ (demilitarized zone) and the application of a different set of firewall rules for traffic between the LAN and the DMZ and the Internet and the DMZ and the LAN and the Internet.

Generally the DMZ is imprisoned: only access to certain ports from the Internet are allowed into the DMZ, while the DMZ is not allowed to establish new connections neither to the Internet nor to your LAN. That way, if a server inside of the DMZ is hacked, the potential damage that can be done, remains restricted! A DMZ is useless without this kind of firewall rules around it.

A DMZ configuration provides security from external attacks, but it typically has no bearing on internal attacks such as sniffing communication via a packet analyzer or spoofingsuch as e-mail spoofing.

It is also sometimes good practice to configure a separate Classified Militarized Zone (CMZ),[citation needed] a highly monitored militarized zone comprising mostly Web servers (and similar servers that interface to the external world i.e. the Internet) that are not in the DMZ but contain sensitive information about accessing servers within LAN (like database servers).

In such architecture, the DMZ usually has the application firewall and the FTP while the CMZ hosts the Web servers. (The database servers could be in the CMZ, in the LAN, or in a separate VLAN altogether.)