In computer networks, a DMZ, or demilitarized zone, is a physical or logical subnet that separates a local area network (LAN) from other untrusted networks — usually, the public internet. DMZs are also known as perimeter networks or screened subnetworks.
Any service provided to users on the public internet should be placed in the DMZ network. External-facing servers, resources and services are usually located there. Some of the most common of these services include web, email, domain name system, File Transfer Protocol and proxy servers.
Servers and resources in the DMZ are accessible from the internet, but the rest of the internal LAN remains unreachable. This approach provides an additional layer of security to the LAN as it restricts a hacker’s ability to directly access internal servers and data from the internet.
Hackers and cybercriminals can reach the systems running services on DMZ servers. Those servers must be hardened to withstand constant attack. The term DMZ comes from the geographic buffer zone that was set up between North Korea and South Korea at the end of the Korean War.
DMZs provide a level of network segmentation that helps protect internal corporate networks. These subnetworks restrict remote access to internal servers and resources, making it difficult for attackers to access the internal network. This strategy is useful for both individual use and large organizations.
Businesses place applications and servers that are exposed to the internet in a DMZ, separating them from the internal network. The DMZ isolates these resources so, if they are compromised, the attack is unlikely to cause exposure, damage or loss.
DMZs function as a buffer zone between the public internet and the private network. The DMZ subnet is deployed between two firewalls. All inbound network packets are then screened using a firewall or other security appliance before they arrive at the servers hosted in the DMZ.
If better-prepared threat actors pass through the first firewall, they must then gain unauthorized access to the services in the DMZ before they can do any damage. Those systems are likely to be hardened against such attacks.
Finally, assuming well-resourced threat actors take over a system hosted in the DMZ, they must still break through the internal firewall before they can reach sensitive enterprise resources. Determined attackers can breach even the most secure DMZ architecture. However, a DMZ under attack will set off alarms, giving security professionals enough warning to avert a full breach of their organization.
The primary benefit of a DMZ is that it offers users from the public internet access to certain secure services, while maintaining a buffer between those users and the private internal network. There are several security benefits from this buffer, including the following:
DMZ networks have been an important part of enterprise network security for almost as long as firewalls have been in use. They are deployed for similar reasons: to protect sensitive organizational systems and resources. DMZ networks are often used for the following:
More recently, enterprises have opted to use virtual machines or containers to isolate parts of the network or specific applications from the rest of the corporate environment. Cloud technologies have largely removed the need for many organizations to have in-house web servers. Many of the external facing infrastructure once located in the enterprise DMZ has migrated to the cloud, such as software-as-a service apps.
There are various ways to design a network with a DMZ. The two basic methods are to use either one or two firewalls, though most modern DMZs are designed with two firewalls. This approach can be expanded to create more complex architectures.
A single firewall with at least three network interfaces can be used to create a network architecture containing a DMZ. The external network is formed by connecting the public internet — via an internet service provider connection — to the firewall on the first network interface. The internal network is formed from the second network interface, and the DMZ network itself is connected to the third network interface.
Different sets of firewall rules for monitoring traffic between the internet and the DMZ, the LAN and the DMZ, and the LAN and the internet tightly control which ports and types of traffic are allowed into the DMZ from the internet, limit connectivity to specific hosts in the internal network and prevent unrequested connections either to the internet or the internal LAN from the DMZ.
The more secure approach to creating a DMZ network is a dual-firewall configuration, in which two firewalls are deployed with the DMZ network positioned between them. The first firewall — also called the perimeter firewall — is configured to allow only external traffic destined for the DMZ. The second, or internal, firewall only allows traffic from the DMZ to the internal network.
The dual-firewall approach is considered more secure because two devices must be compromised before an attacker can access the internal LAN. Security controls can be tuned specifically for each network segment. For example, a network intrusion detection and intrusion prevention system located in a DMZ could be configured to block all traffic except Hypertext Transfer Protocol Secure requests to Transmission Control Protocol port 443.
Some of the various ways DMZs are used include the following:
A DMZ is a fundamental part of network security. These subnetworks create a layered security structure that lessens the chance of an attack and the severity if one happens. They are used to isolate a company’s outward-facing applications from the corporate network. If a system or application faces the public internet, it should be put in a DMZ.
Learn how a honeypot can be placed in the DMZ to attract malicious traffic, keep it away from the internal network and let IT study its behavior.
Nmap might be more common for security tasks, but it’s also useful for network documentation and inventory. Follow these best …
A new study from IEEE found 5G remains one of the most anticipated technologies for 2023. Top expectations for 5G include …
T-Mobile has expanded its mid-band 5G coverage across most of the nation, pulling further ahead of rivals Verizon and AT&T.
The 2023 trends that are reshaping the risk management landscape include GRC platforms, maturity frameworks, risk appetite …
The SEC charged cryptocurrency firm FTX founder Sam Bankman-Fried with fraud Tuesday, shortly before a House committee met to …
Massive layoffs haven’t reduced the demand for tech workers. CIOs can address their organization’s IT talent shortage with expert…
Modern enterprise organizations have numerous options to choose from on the endpoint market. Learn about some of the main …
Monitoring files on Windows systems is critical to detect suspicious activities, but there are so many files and folders to keep …
While Microsoft Loop is not yet generally available, Microsoft has released details about how Loop can connect users and projects…
Among other benefits, a hybrid cloud data warehouse can offer enhanced flexibility and scalability, as well as on-demand access …
The wrong instance type can affect workload performance and even increase costs. This year at re:Invent, AWS released new EC2 …
The Department of Defense Joint Warfighting Cloud Capability contract allows DOD departments to acquire cloud services and …
Against a backdrop of rising energy costs and supply uncertainty, cutting the amount of power their ICT estate consumes can also …
New collaboration through IT giant’s Airband Initiative designed to increase satellite broadband availability for people across …
Experts at the 2022 Digital Ethics Summit say expedited development cycles and obviously over-hyped PR material, in tandem with …
All Rights Reserved, Copyright 2000 – 2022, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info
