A demilitarized zone (DMZ) is a network segment separate from other networks. Many organizations use them to separate their local area networks (LANs) from the Internet. This puts additional security between your corporate network and the public Internet. It can also be used to separate a specific machine from the rest of a network, moving it outside the protection of a firewall.
A Demilitarized Zone (DMZ) can be used for security purposes.
Frequent Uses
Common items placed in a DMZ are public servers. For example, if an organization maintains its website on a server, that server could be placed in a “Demilitarized Zone” of computers. That way, if a malicious attack compromises the machine, the rest of the company network remains safe. A computer can also be placed in a DMZ outside of a network to test for connectivity problems created by a firewall that protects the rest of the system.
If an organization maintains its website on a server, the web server can be placed on a “Demilitarized Zone” computer separate from other networks.
Router configuration and functionality
When connecting a LAN to the Internet, a router provides a physical connection to the public Internet and firewall software provides a gateway to prevent malicious data from entering the network. A port in the firewall typically connects to the network using an internal address, allowing traffic sent by people to reach the Internet. Another port is usually configured with a public address, which allows Internet traffic to reach the system. These two ports allow incoming and outgoing data to communicate between the network and the Internet.
Purpose of a demilitarized zone
By creating a DMZ, an organization adds another network segment or subnetwork that is still part of the system but not directly connected to the network. Adding a DMZ uses a third interface port on the firewall. This configuration allows the firewall to exchange data with the general network and with the isolated machine using network address translation (NAT). The firewall generally does not protect the isolated system, allowing you to connect more directly to the Internet.
NAT functionality
Network address translation allows data received on a particular port or interface to be routed to a specific network. For example, when someone visits an organization’s website, their browser is sent to the server that hosts the website. If this organization maintains its web server in a DMZ, the firewall knows that all traffic sent to the address associated with its website must go through the server in the DMZ, rather than directly into the organization’s internal network.
Disadvantages and other methods
Since the DMZ computer is outside the protection of the firewall, it may be vulnerable to attack by malicious programs or hackers. Businesses and individuals should not store sensitive data on this type of system and know that the machine could become corrupted and “attack” the rest of the network. Many network professionals recommend “port forwarding” for people with network or connection problems. This provides specific and targeted access to certain network ports without completely opening up the system.