The Demilitarized Zone (DMZ) hosts public services such as web servers, email servers, and domain name servers (DNS), isolating them from the rest of the network for security reasons. If a breach occurs, the Demilitarized Zone architecture aims to prevent attackers from advancing into the core internal network where sensitive data and resources reside.
Setting up a Demilitarized Zone involves using firewalls to create a buffer zone between the internet and the LAN. Traffic coming from the internet to the DMZ is screened to ensure that it only consists of safe connection requests for the specific service offered, while communication from the DMZ to the LAN undergoes a rigorous assessment to prevent attacks.
Key Characteristics:
- Isolation of Services: Contains services that need to be accessible from the public network yet separate from the internal network.
- Layered Security: Functions as part of a broader security posture which may include firewalls, intrusion detection systems, and other measures.
- Traffic Screening: Regulates incoming and outgoing network traffic based on security protocols.
- Breach Containment: In the event of a compromise, limits the attacker’s access to the DMZ area only.
Examples:
- Real-World Example: A corporation’s customer-facing website is hosted in a DMZ to ensure that the general public can access it without risking the security of the corporation’s internal corporate network.
- Hypothetical Scenario: A university places its library database server in a DMZ, allowing students and faculty to access it off-campus while protecting the internal network that contains sensitive research data and personal information.
Related Terms:
- Firewall: A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules, often used to create a DMZ.
- Network Segmentation: The practice of splitting a computer network into subnetworks, each being a network segment or network layer, to improve performance and security; DMZ is a form of network segmentation.
- Perimeter Network: Another term for DMZ, indicating its place at the boundary of an organisation’s network.