What is DMZ or Demilitarized Zone in computer networking?
In computer security, DMZ or Demilitarized Zone is a physical or logical subnetwork that separates an organization’s internal network (LAN) from an untrusted network, usually the Internet. Usually, the servers that can be accessed from the external network, like web servers, mail servers, DNS, FTP, etc, are placed in the DMZ. The DMZ is separated from the rest of the internal network using firewalls. This is also called a perimeter network. The name “DMZ” is derived from the term demilitarized zone, an area between nation-states where no military operations are permitted.
Why do we use DMZ?
Servers accessible from the external network are most vulnerable to cyber attacks. So, the rest of an enterprise’s internal network should be protected from those servers so that even if the security of those servers gets compromised, the rest of the internal network remains protected. So, publicly accessible servers of an enterprise, like web servers, mail servers, DNS, etc, are placed in DMZ, and the rest of the internal network is protected from those servers. Usually, the DMZ is separated from the rest of the internal network using a firewall, and the communication between the DMZ and the internal network is restricted. Also, the communications between two hosts in the DMZ and between the DMZ and the external network are restricted.
What servers are placed in the DMZ?
Any servers that provide services to users in the external network can be placed in the DMZ. Some most common examples can be:
- Web servers
- Mail servers
- FTP servers
- DNS
- VoIP servers
- Proxy servers
Web servers can communicate with database servers. They can do so through a Web Application Firewall (What is a Web Application Firewall?) for security. Depending on the sensitivity of the database data, web servers can be placed in the DMZ, and the database server can be in the internal network.
Similarly, mail servers can be placed in the DMZ. In contrast, the database containing sensitive email messages and user data can be placed in the internal network and made inaccessible to the external network.
Organizations can also include proxy servers in the DMZ (What are proxy servers and how do they work?). These proxy servers can be both forward proxy servers and reverse proxy servers. Forward proxy servers can intercept requests originating from the internal network of the organization requesting an external resource. These proxy servers can monitor the web content and filter it accordingly for security purposes. Reverse proxy servers, on …
0 Comments