Demilitarized zone (computing)

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an organization's internal network and an external network, usually the Internet. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.

The DMZ is typically used for connecting servers that need to be accessible from the outside world, such as e-mail, web and DNS servers.

Connections from the external network to the DMZ are usually controlled using port address translation (PAT).

A DMZ is often created through a configuration option on the firewall, where each network is connected to a different port on the firewall - this is called a three-legged firewall set-up. A stronger approach is to use two firewalls, where the DMZ is in the middle and connected to both firewalls, and one firewall is connected to the internal network and the other to the external network. This helps prevent accidental misconfiguration, allowing access from the external network to the internal network. This type of setup is also referred to as screened-subnet firewall.

Home routers sometimes refer to a DMZ host, which usually means that any incoming connections not already translated by port address translation are forwarded to a single computer inside the network, but this computer still has full access to the rest of the network. This is not a true DMZ by definition.

Gourt Home::Gourt :: Demilitarized zone (computing)

See also