Demilitarized Zone (DMZ)
What is Demilitarized Zone (DMZ)?
Demilitarized Zone (DMZ)A buffer network segment that hosts externally exposed services, isolated from the internal LAN to limit the blast radius of a breach.
A DMZ is a perimeter subnet sandwiched between two firewalls (or a multi-legged firewall) where systems that must be reachable from the internet — web servers, mail relays, reverse proxies, VPN concentrators — are placed. The outer firewall lets defined inbound traffic reach the DMZ, while the inner firewall tightly restricts what the DMZ may initiate toward the internal network, ideally only specific application protocols to specific hosts. The architecture limits the blast radius of a compromise: even if an attacker takes over a DMZ host, they still face a strong policy boundary before reaching internal data. Modern designs add zero-trust controls, WAFs, and microsegmentation to harden this boundary further.
● Examples
- 01
A web server in the DMZ that can be reached from the internet on TCP/443 but cannot initiate connections to internal databases.
- 02
A mail relay in the DMZ that forwards messages to internal Exchange via a single SMTP rule.
● Frequently asked questions
What is Demilitarized Zone (DMZ)?
A buffer network segment that hosts externally exposed services, isolated from the internal LAN to limit the blast radius of a breach. It belongs to the Network Security category of cybersecurity.
What does Demilitarized Zone (DMZ) mean?
A buffer network segment that hosts externally exposed services, isolated from the internal LAN to limit the blast radius of a breach.
How do you defend against Demilitarized Zone (DMZ)?
Defences for Demilitarized Zone (DMZ) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Demilitarized Zone (DMZ)?
Common alternative names include: Perimeter network, DMZ.