In computer security, a DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organizations external-facing services to an untrusted, usually larger, network such as the Internet). A DMZ network is a perimeter network that protects an organizations internal LAN from untrusted traffic. The purpose of a DMZ is to add an additional layer of security to an organizations local area network (LAN) ). The DMZ functions as a small, isolated network positioned between the Internet and the private network). The main benefit of a DMZ is to provide an internal network with an advanced security layer by restricting access to sensitive data and servers. A DMZ enables website visitors to obtain certain services while providing a buffer between them and the organizations private network. A DMZ configuration provides additional security from external attacks, but it typically has no bearing on internal attacks such as sniffing communication via a packet analyzer or spoofing such as e-mail spoofing). Some of the various ways DMZs are used include the following:
- Enabling access control: Businesses can provide users with access to services outside the perimeters of their network through the public internet. The DMZ enables access to these services while implementing network segmentation to make it more difficult for an unauthorized user to reach the private network.
- Providing increased network segmentation: A DMZ network provides access control to services outside an organizations network perimeters that are accessed from the internet. It simultaneously introduces a level of network segmentation that increases the number of obstacles a user must bypass before gaining access to an organizations private network.
- Protecting the hosts most vulnerable to attack: The DMZ network exists to protect the hosts most vulnerable to attack, such as email, web servers, and DNS servers. These hosts are placed into the monitored subnetwork to help protect the rest of the network if they become compromised.