In computer security, a DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organizations external-facing services to an untrusted, usually larger, network such as the Internet). A DMZ network is a perimeter network that protects an organizations internal LAN from untrusted traffic. The purpose of a DMZ is to add an additional layer of security to an organizations local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organizations network is protected behind a firewall).
A DMZ configuration provides additional security from external attacks, but it typically has no bearing on internal attacks such as sniffing communication via a packet analyzer or spoofing such as e-mail spoofing). DMZs provide a level of network segmentation that helps protect internal corporate networks. These subnetworks restrict remote access to internal servers and resources, making it difficult for attackers to access the internal network.
Some of the benefits of a DMZ include:
-
Enabling access control: Businesses can provide users with access to services outside the perimeters of their network through the public internet. The DMZ enables access to these services while implementing network segmentation to make it more difficult for an unauthorized user to reach the private network.
-
Providing an internal network with an advanced security layer by restricting access to sensitive data and servers.
-
Protecting the hosts most vulnerable to attack, such as email, web servers, and DNS servers.
DMZs are an essential part of network protection for both individual users and large organizations.