In computer networks, a DMZ or Demilitarized Zone is a physical or logical sub-network that contains an organization’s external services, largely to untrusted network, such as Internet.Â It prevents outside users from getting direct access to a server that has company data. In other words “demilitarised zone” or DMZ refers to this isolated zone that hosts the applications made available to the public.Â It is sometimes referred to as a Perimeter Network also.
The purpose of a DMZ is to add an additional layer of security to an organization’s Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.
Users of the public network outside the company can access only the DMZ host. This zone may typically also have the company’s Web pages so these could be served to the outside world. However, the DMZ provides access to no other company data. In the event that an outside user penetrated the host’s security, the Web pages might be corrupted but no other company information would be exposed
The security policy for the DMZ is generally the following:
- Traffic from the external network to the DMZ is autorised
- Traffic from the external network to the internal network is prohibited
- Traffic from the internal network to the DMZ is autorised
- Traffic from the internal network to the external network is authorised
- Traffic from the DMZ to the internal network is prohibited
- Traffic from the DMZ to the external network is denied
Thus, the DMZ possesses an intermediate security level that is not high enough for storing critical company data. It should be noted that Demilitarized Zones can be set up internally in order to isolate the internal network with varying levels of protection and avoid internal intrusions.