Demilitarized Zone / DMZ Network Definition
A demilitarized zone (DMZ) – also known as a screened subnet – is an isolated portion of an organization’s network that hosts systems intended to be publicly accessible. For example, a DMZ may contain web, email, domain name service (DNS), File Transfer Protocol (FTP), and proxy servers. By segmenting this subnet from the rest of the corporate network, an organization screens internal systems against potential attacks.
How Does a DMZ Network Work?
Firewalls define network boundaries. Most organizations have a firewall between their private local area network (LAN) and the public Internet. This helps to block potentially malicious traffic from reaching the organization’s systems and corporate data from leaving the network.
Typically, the goal of the network firewall is to drastically limit inbound requests from the public Internet to an organization’s internal systems. However, certain systems, such as web and DNS servers, need to be able to receive and respond to inbound requests.
A DMZ balances the desire to protect the internal network with the need to allow external access to certain systems. One common DMZ setup involves deploying two layers of firewalls. The outer layer divides the public Internet from the corporate LAN and permits inbound web, DNS, and similar traffic. The DMZ would sit just behind this firewall.
The inner layer of the firewall of the firewall is more restrictive and separates the DMZ from the rest of the corporate network. This segregates the DMZ hosts from the rest of the network in case they are compromised by an attacker.
The Value of a DMZ Network
The hosts located on a corporate DMZ are the ones most likely to be compromised by an attacker. For example, a web server is designed to be publicly accessible, and a company’s website and other public-facing applications may contain vulnerabilities that an attacker could exploit.
One common attack technique is to gain access to a trusted, internal system and then pivot to access other corporate computers. This can enable an attacker to evade an organization’s defenses by taking advantage of the fact that certain systems may only be reachable from other, internal systems.
A DMZ makes it more difficult for an attacker to gain a foothold on a computer inside the DMZ and then pivot to other systems. Computers within the DMZ are separated from the rest of the network by a firewall due to their semi-trusted status. This firewall will inspect any traffic between the DMZ and the internal network, providing the company with another opportunity to detect the attacker’s presence before they can gain access to sensitive data and functionality inside the corporate network.
Conclusion
A DMZ or screened subnet is an isolated segment of a corporate network designed to host semi-trusted systems. Web servers and similar systems are designed to be publicly accessible, which increases the risk that they will be compromised by an attacker. By separating these systems from the rest of an organization’s internal network, a company makes it more difficult for an attacker to compromise a publicly accessible system and then pivot to access other internal systems.