What is Demilitarized Zone
Demilitarized Zone:In computer networks, a DMZ (demilitarized zone) is a computer host or small network inserted as a “neutral zone” between a company’s private network and the outside public network.
- It prevents outside users from getting direct access to a server that has company data.
- DMZ is an optional and more secure approach to a firewall and effectively acts as a proxy server as well.
- They are often connected to a multi-homed firewall, meaning that it has different ports for the outside network, inside network, and DMZ, but can also be placed in a screened subnet.
- In a screened subnet, there is a simple firewall called a screening firewall that is generally a packet filter that blocks invalid traffic.
- Then there is the DMZ and a screened firewall between the DMZ and internal network that is more powerful.
- This setup is more expensive, but has several benefits including performance and it lowers the work placed on the more advanced and powerful screened firewall.
- In a typical DMZ configuration for a small company, a separate computer or host receives requests from users within the private network for access to Web sites or other public network. The DMZ host then initiates sessions for these requests on the public network.
- Users of the public network outside the company can access only the DMZ host.
- The DMZ may typically also have the company’s Web pages so these could be served to the outside world.
- However, the DMZ provides access to no other company data.
- In the event that an outside user penetrated the DMZ host’s security, the Web pages might be corrupted but no other company information would be exposed.
- Any service that is being provided to users on the external network can be placed in the DMZ. The most common of these services are:
- Web servers
- Mail servers
- FTP servers
- VoIP servers
- Web servers that communicate with an internal database require access to a database server, which may not be publicly accessible and may contain sensitive information. The web servers can communicate with database servers either directly or through an application firewall for security reasons.
- E-mail messages and particularly the user database are confidential, so they are typically stored on servers that cannot be accessed from the Internet but can be accessed from email servers that are exposed to the Internet.