DMZ: the demilitarized zone in networks, what it is about

The DMZ (Demilitarized Zone) is a key concept in computer security and network protection. It represents a separate, isolated network area positioned between a protected internal network and an external network, usually the Internet. The main objective of the DMZ is to provide an additional layer of security by separating critical and sensitive network resources from the untrusted external network.

In the context of a network architecture, the DMZ is designed to host services that must be accessible from the outside, such as Web servers, e-mail servers, FTP servers, and other publicly accessible services. These services are exposed in the DMZ, allowing outside people or organizations to access them without providing them with direct access to the internal network.

Placing resources in the DMZ offers several security advantages. First, it protects the internal network by isolating public services and limiting direct exposure to external attacks. If a server in the DMZ is compromised, access to the internal network remains protected because the DMZ acts as a buffer zone.

In addition, the DMZ allows stricter security rules to be enforced between the internal and external networks. This means that communications between systems in the DMZ and those in the internal network can be carefully controlled and filtered, reducing the risk of unauthorized access.

To provide an additional layer of security, security devices such as firewalls are often implemented within the DMZ. These firewalls allow monitoring and control of incoming and outgoing traffic between the internal network, the DMZ, and the external network.

It is important to note that the configuration and design of a DMZ must be based on an organization’s specific security needs and requirements. Security policies and access rules must be carefully defined and implemented to ensure effective protection.

A DMZ is a subnet that is located behind the firewall but is open to the public. By placing public services in a DMZ, an additional layer of security can be added to the LAN. The public can connect to services in the DMZ, but cannot penetrate the LAN. The DMZ must be configured to include all hosts that need to be exposed to the WAN (such as Web or e-mail servers).

Example with 1 public IP

DMZ 1 IP
Source: Cisco

In this scenario, the company has a public IP address, 209.165.200.225, which is used for both the public IP address of the security device and the public IP address of the Web server. The administrator configures the configurable port as the DMZ port. A firewall rule allows incoming HTTP traffic to the Web server at address 172.16.2.30. Internet users enter the domain name associated with the IP address 209.165.200.225 and can then connect to the Web server. The same IP address is used for the WAN interface.

Example with 2 public IPs

DMZ 2 IP
Source: Cisco

In this scenario, the ISP provided two static IP addresses: 209.165.200.225 and 209.165.200.226. The address 209.165.200.225 is used for the public IP address of the security device. The administrator configures the configurable port as the DMZ port and creates a firewall rule to allow incoming HTTP traffic to the Web server at address 172.16.2.30. The firewall rule specifies an external IP address of 209.165.200.226. Internet users enter the domain name associated with IP address 209.165.200.226 and can then connect to the Web server.

Avatar photo
About Carlo Bazzo 17 Articles
Sysadmin & network eng. @Epysoft, editor @TheTechGoggler, CTO @HDEMO. Former developer @MSFT @GOOG. Former MOps consultant @XRX @HPQ. LinkedIn: it.linkedin.com/in/carlobazzo