DMZ – Demilitarized Zone Network

A DMZ (demilitarized Zone) is a conceptual network design where publicly accessible servers are placed on a separate, isolated network segment. The intention of a DMZ is to ensure that publicly accessible servers cannot contact other internal network segments, in the event that a server is compromised.

In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to a usually larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN); an external network node can access only what is exposed in the DMZ, while the rest of the organization’s network is firewalled.

The name is derived from the term “demilitarized zone”, an area between nation states in which military operation is not permitted.

Services in the DMZ

Any service that is being provided to users on the external network can be placed in the DMZ. The most common of these services are:
•  Web servers
•  Mail servers
•  FTP servers
•  VoIP servers

DMZ Architecture

There are a number of methods to create a network that includes a DMZ. The two most commonly deployed methods are the three legged model (single firewall) and a network with dual firewalls. Each of these primary architectural setups can be further expanded to create a complex network architecture depending on the enterprise or organizational requirements.

Below are Two Fundamental Types of DMZ Architecture

Three Legged DMZ Model (Single Firewall)

The three legged DMZ model makes use of a single firewall with a minimum of three network interfaces to create the architecture that contains a DMZ. In this configuration, the external network gets created or formed from the Internet Service Provider (ISP) to the network’s firewall on the first network interface. The internal network is then formed from the second network interface, and the network DMZ is created from the third network interface. In the three legged model, the firewall becomes the single point of failure for the overall network. It also must be able to handle all traffic bound for both the DMZ and the internal network. When drawing the network architecture in this model, color codes are typically used to annotate the network zones. Green is normally used to indicate the DMZ, purple for the internal LAN, red for the Internet, and another color to indicate any wireless network zones that are being supported.

DMZ - Demilitarized Zone NetworkDual Firewall DMZ Model

In order to create a more secure network DMZ, two firewalls can be used to setup the architecture. The “Front-End” firewall is setup to allow traffic to pass to/from the DMZ only. The “Back-End” firewall is then setup to pass traffic from the DMZ to the internal network. The two firewall or dual firewall model is considered to be more secure than the three legged DMZ option since there would have to be two firewalls that would have to be compromised for the network to be compromised.

DMZ - Demilitarized Zone NetworkSome organizations even go as far as to use firewalls produced by two different companies to make it less likely that a hacker could use the same security vulnerability to access the internal network. As an example, if a network administrator makes a setup or configuration error on one firewall brand, he or she would likely make the same mistake on the second one. If a different brand or vendor’s firewall is used for each then the odds of a configuration mistake propagating across each firewall is much lower. The practice of using two different firewalls; however, is more costly and requires additional effort to maintain when compared to the single firewall model.


1. DMZ isolates your Web Server Farm and your Protected Network.
2. If at any point of time, your DMZ Web Server is compromised , it will not affect your servers in the Local LAN or any other infrastructure in your Corporate Network
3. Standard Practice by any Enterprise to have a DMZ zone and have all the infrastructure which needs to be exposed to the UN-trusted Network(Internet) such as Web-Servers, E-Mail Servers in the DMZ Zone.

<<Click here to see all posts>>

If you found any of the information on this page helpful in anyway then please consider sharing this content with your favorite social network or by leaving your thoughts in the comment section. Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

Prove You Are Human Time limit is exhausted. Please reload CAPTCHA.