DMZ (Demilitarized Zone)
A DMZ (Demilitarized Zone) is a perimeter network segment that sits between an organization's internal network and the external internet, hosting public-facing services while providing an additional layer of security isolation.
The DMZ is a fundamental network architecture concept designed to protect internal resources by creating a buffer zone for services that must be accessible from the internet. Web servers, email servers, DNS servers, and reverse proxies are commonly placed in the DMZ, allowing external users to access these services without granting direct access to the internal network.
A typical DMZ implementation uses two firewalls: an external firewall between the internet and the DMZ, and an internal firewall between the DMZ and the private network. Traffic rules are configured so that external users can reach DMZ services, DMZ servers can make limited connections to internal resources as needed, but direct traffic from the internet to the internal network is blocked.
Best practices for DMZ design include minimizing the number of services hosted in the DMZ, hardening all DMZ systems, restricting DMZ-to-internal traffic to specific ports and protocols, monitoring all traffic crossing DMZ boundaries, regularly patching and updating DMZ systems, and implementing separate authentication for DMZ and internal resources. A well-designed DMZ significantly reduces the risk of a compromised public-facing service leading to a full internal network breach.