The Demilitarized Zone (DMZ) is an independent network that acts as a buffer zone between an external network and the internal network. The buffer network contains, for example, web servers or mail servers whose communication is monitored by firewalls.
A DMZ (Demilitarized Zone) is a buffer zone between external and internal networks. It can be set up with a single-tier or two-tier firewall concept.
What is a DMZ?
The abbreviation DMZ stands for Demilitarized Zone and refers to a specially controlled network located between the external network (Internet) and the internal network. It represents a kind of buffer zone that separates the networks by strict communication rules and firewalls.
The demilitarized zone contains servers such as web servers, mail servers, authentication servers, or application gateways. Only these are accessible to users from the Internet. By separating the DMZ from the internal network, external users cannot access internal resources. The private network remains protected from attacks from the Internet or from overloading by Internet requests. The Demilitarized Zone can be separated from the adjacent networks by one or more firewalls.
Firewall rules for the connection to the Demilitarized Zone
The rules on the firewall ensure the following communication possibilities in interaction with the Demilitarized Zone:
- Users from the Internet are only allowed to access servers in the Demilitarized Zone and not resources on the internal network.
- Users from the internal network usually do not communicate directly with resources from the Internet. They access external resources, for example, through a proxy server that acts as a proxy to handle communications to the Internet for them.
- Packets out of the demilitarized zone for which there are no corresponding incoming packets are discarded by the firewall in the direction of the Internet and the internal network.
- Exceptions to these basic communication rules exist, for example, to connect application servers to internal databases. These exceptions are configured by the firewall administrator.
The DMZ with one or two firewalls
A demilitarized zone can be implemented with one or two firewalls.
If two firewalls are used, one is located between the DMZ and the internal network (inner firewall) and the other between the DMZ and the external network (outer firewall). Ideally, the firewalls should be from different manufacturers. This prevents security holes from allowing both firewalls to be overcome at the same time.
A more cost-effective solution is to implement the demilitarized zone with only one firewall. This has at least three network ports to which the internal network, the external network, and the demilitarized zone are connected. In this case, only one firewall monitors the entire communication.
The Exposed Host as a low-cost alternative to a Demilitarized Zone
Inexpensive routers, such as those used for private Internet access, often advertise DMZ support. However, this is usually not a true demilitarized zone, but an exposed host.
If an Exposed Host is configured, the router forwards all traffic from the Internet that does not belong to existing connections to a single computer or server. This is accessible to users from the Internet. However, the exposed host is not separated from the LAN and does not provide the same level of protection as a DMZ.
