A Demilitarized Zone (DMZ) is a network segment that is separated from other networks. Many organizations use them to separate their Local Area Networks (LAN) from the Internet. This puts additional security between their corporate network and the public Internet. It can also be used to separate one particular machine from the rest of a network, moving it outside of the protection of a firewall.
Frequent Uses
Common items that are placed in a DMZ are public-facing servers. For example, if an organization maintains its website on a server, that web server could be placed in a computer "Demilitarized Zone." In this way, if a malicious attack ever compromises the machine, the remainder of the company's network remains safe from danger. Someone can also place a computer on a DMZ outside of a network to test for connectivity issues being created by a firewall protecting the rest of the system.
Router Setup and Functionality
When connecting a LAN to the Internet, a router provides a physical connection to the public Internet, and firewall software offers a gateway to prevent malicious data from entering the network. One port on the firewall often connects to the network using an internal address, allowing traffic being sent out by individuals to reach the Internet. Another port is usually configured with a public address, which allows Internet traffic to reach the system. These two ports allow inbound and outbound data to communicate between the network and the Internet.
Purpose of a Demilitarized Zone
In creating a DMZ, an organization adds another network segment or subnet that is still part of the system, but not connected directly to the network. Adding a DMZ makes use of a third interface port on the firewall. This configuration allows the firewall to exchange data with both the general network and the isolated machine using Network Address Translation (NAT). The firewall does not usually protect the isolated system, allowing it to connect more directly to the Internet.
NAT Functionality
Network Address Translation allows data received on a certain port or interface to be routed to a specified network. For example, when someone visits an organization's web site, the browser is sent to the server hosting the site. If this organization keeps its web server in a DMZ, the firewall knows that all traffic sent to the address associated with their web site should be passed to the server sitting in the DMZ, rather than directly into the organization's internal network.
Drawbacks and Other Methods
Since the DMZ computer lies outside of the firewall's protection, it may be vulnerable to attacks from malicious programs or hackers. Companies and individuals should not store sensitive data on this type of system, and know that such a machine can potentially become corrupted and "attack" the rest of the network. Many networking professionals recommend "port-forwarding" for people experiencing networking or connection issues. This provides specific, targeted access to certain network ports, without opening up a system entirely.
