What is DMZ or Demilitarized Zone in Computer Networking ?
In computer security, DMZ or Demilitarized Zone is a physical or logical subnetwork that separates an organization’s internal network (LAN) from an untrusted network, usually the Internet. Usually the servers that can be accessed from the external network, like web servers, mail servers, DNS, FTP etc are placed in the DMZ and the DMZ is separated from the rest of the internal network using firewalls. This is also called perimeter network. The name is derived from the term demilitarized zone which is an area between nation states where no military operations are permitted.
Why do we use DMZ ?
Servers that are accessible from the external network are most vulnerable to cyber attacks. So, the rest of the internal network of an enterprise should be protected from those servers, so that even if the security of those servers get compromised, the rest of the internal network remains protected. So, publicly accessible servers of an enterprise like web servers, mail servers, DNS etc are placed in DMZ and the rest of the internal network is protected from those servers. Usually the DMZ is separated from the rest of the internal network using firewall and the communication between the DMZ and the internal network is restricted. Also, the communications between two hosts in the DMZ as well as between the DMZ and the external network are restricted.
What all servers are placed in the DMZ ?
Any servers that provide services to users in the external network can be placed in the DMZ. Some most common examples can be:
- Web servers
- Mail servers
- FTP servers
- VoIP servers
- Proxy servers
Web servers can communicate with the database servers. They can do it so through Web Application Firewall (What is a Web Application Firewall ?) for security. Web servers can be placed in the DMZ and the database server can be in the internal network, depending on sensitiveness of the data in the database.
Similarly, mail servers can be placed in the DMZ while the database containing sensitive email messages and user data can be placed in the internal network and not accessible to the external network.
Organizations can also include proxy servers in the DMZ (What are proxy servers and how do they work ?). These proxy servers can be both Forward Proxy Servers and Reverse Proxy Servers. Forward Proxy Servers can intercept requests originated from the internal network of the organization requesting an external resource. They can monitor the web contents and filter it accordingly for security purposes. Reverse Proxy Servers on …