DMZ

A DMZ (Demilitarized Zone) is a perimeter network that acts as a buffer zone between an organization's internal, secure local area network (LAN) and the external, untrusted public internet.

It is designed to expose public-facing services to the internet without granting direct access to the internal network.

🧱 DMZ Architecture

A DMZ typically sits between two firewalls (or at least two zones of a firewall):

1. Single Firewall with Three Legs

  • One firewall with three interfaces:

    • External (Internet)

    • Internal Network (LAN)

    • DMZ (Public-facing servers)

2. Dual Firewall (Most Secure)

  • Two firewalls:

    • First firewall (external) separates the internet and DMZ.

    • Second firewall (internal) separates DMZ and internal LAN.

  • This adds redundancy and extra security.


Components and services in DMZ

Service
Description

Web Server

Serves public web content, like a company website

Mail Server

Accepts and filters email from external sources

DNS Server

Resolves public domain names (sometimes hosted in DMZ)

Proxy Server

Acts as a middleman between users and the internet

Reverse Proxy

Forwards client requests to internal servers while hiding their identity

VPN Gateway

Allows remote users to securely connect to internal resources

Traffic Flow Example

Scenario: a user on the internet accessing a company website.

  1. User sends an HTTP request to the company’s domain.

  2. Request hits the external firewall, which forwards it to the web server in the DMZ.

  3. If the web server needs data from a backend database, it may contact the internal network through the internal firewall, but only on specific, allowed ports.

Last updated