Demilitarized zone (computing)

From Wikipedia, the free encyclopedia

You have new messages (last change).
For other uses of "DMZ", see DMZ (disambiguation).
Diagram of a typical network employing DMZ using a three-legged firewall
Enlarge
Diagram of a typical network employing DMZ using a three-legged firewall

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an organization's internal network and an external network, usually the Internet. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end.

The DMZ is typically used for connecting servers that need to be accessible from the outside world, such as e-mail, web and DNS servers.

Connections from the external network to the DMZ are usually controlled using port address translation (PAT).

A DMZ is often created through a configuration option on the firewall, where each network is connected to a different port on the firewall - this is called a three-legged firewall set-up. A stronger approach is to use two firewalls, where the DMZ is in the middle and connected to both firewalls, and one firewall is connected to the internal network and the other to the external network. This helps prevent accidental misconfiguration, allowing access from the external network to the internal network. This type of setup is also referred to as screened-subnet firewall.

[edit] DMZ host

Some home routers refer to a DMZ host. A home router DMZ host is a host on the internal network that has all ports exposed, except those ports forwarded otherwise.

This is not a true DMZ by definition since these pseudo DMZs provide no security between that host and the internal network. That is, the DMZ host is able to connect to hosts on the internal network, but hosts in a real DMZ are prevented from doing so by the firewall that sits between them.

[edit] See also


This computer network-related article is a stub. You can help Wikipedia by expanding it.
Retrieved from "http://en.wikipedia.org../../../d/e/m/Demilitarized_zone_%28computing%29.html"