A demilitarized zone (DMZ) is a network segment separate from other networks. Many organizations use them to separate their local area networks (LAN) from the Internet. This puts additional security between your corporate network and the public Internet. It can also be used to separate a specific machine from the rest of a network by moving it outside the protection of a firewall.
A Demilitarized Zone (DMZ) can be used for security purposes.
Common items placed in a DMZ are public-facing servers. For example, if an organization maintains its website on a server, that server could be placed in a computer “Demilitarized Zone”. That way, if a malicious attack compromises the machine, the rest of the company’s network will remain safe from harm. One can also place a computer in a DMZ outside of a network to test for connectivity issues created by a firewall that protects the rest of the system.
If an organization maintains its website on a server, the web server can be placed on a “Demilitarized Zone” computer separate from other networks.
Router configuration and functionality
When connecting a LAN to the Internet, a router provides a physical connection to the public Internet and firewall software provides a gateway to prevent malicious data from entering the network. A port on the firewall usually connects to the network using an internal address, allowing traffic sent by individuals to reach the Internet. Another port is usually configured with a public address, which allows Internet traffic to reach the system. These two ports allow incoming and outgoing data to communicate between the network and the Internet.
Purpose of a demilitarized zone
When creating a DMZ, an organization adds another network segment or subnet that is still part of the system but not directly connected to the network. Adding a DMZ uses a third interface port on the firewall. This configuration allows the firewall to exchange data with the general network and with the isolated machine using Network Address Translation (NAT). The firewall usually does not protect the isolated system, allowing it to connect more directly to the Internet.
Network address translation allows data received on a particular port or interface to be routed to a specific network. For example, when someone visits an organization’s website, their browser is sent to the server hosting the website. If this organization keeps its web server in a DMZ, the firewall knows that all traffic sent to the address associated with your website should be passed to the server that is in the DMZ, rather than directly to the organization’s internal network.
Disadvantages and other methods
As the DMZ computer is outside the firewall’s protection, it can be vulnerable to attack by malicious programs or hackers. Companies and individuals should not store sensitive data on this type of system and know that such a machine could potentially be corrupted and “attack” the rest of the network. Many network professionals recommend “port forwarding” for people with network or connection issues. This provides specific and targeted access to certain network ports without fully opening the system.