DMZ

A DMZ (Demilitarized Zone) is a perimeter network that acts as a buffer zone between an organization's internal, secure local area network (LAN) and the external, untrusted public internet.
It is designed to expose public-facing services to the internet without granting direct access to the internal network.
🧱 DMZ Architecture
A DMZ typically sits between two firewalls (or at least two zones of a firewall):
1. Single Firewall with Three Legs
One firewall with three interfaces:
External (Internet)
Internal Network (LAN)
DMZ (Public-facing servers)


2. Dual Firewall (Most Secure)
Two firewalls:
First firewall (external) separates the internet and DMZ.
Second firewall (internal) separates DMZ and internal LAN.
This adds redundancy and extra security.


Components and services in DMZ
Web Server
Serves public web content, like a company website
Mail Server
Accepts and filters email from external sources
DNS Server
Resolves public domain names (sometimes hosted in DMZ)
Proxy Server
Acts as a middleman between users and the internet
Reverse Proxy
Forwards client requests to internal servers while hiding their identity
VPN Gateway
Allows remote users to securely connect to internal resources
Traffic Flow Example
Scenario: a user on the internet accessing a company website.
User sends an HTTP request to the company’s domain.
Request hits the external firewall, which forwards it to the web server in the DMZ.
If the web server needs data from a backend database, it may contact the internal network through the internal firewall, but only on specific, allowed ports.
Last updated