What is a DMZ (Demilitarized Zone), and where do public-facing servers belong?
A DMZ is a separate network segment between the trusted internal network and the untrusted Internet. Servers reachable from the Internet (web, email, DNS) live here — never in the internal network — so that compromising them doesn't directly expose the internal LAN.
The classic DMZ concept:
[Internet] ←→ [Firewall] ←→ [DMZ: Web/Mail/DNS Servers]
↑↓
[Internal LAN: workstations, file servers, AD]
The threat model:
If an attacker compromises your web server, what can they reach?
| Architecture | Attacker reaches |
|---|---|
| Web server in internal LAN | Internal LAN → file servers, DC, every workstation. Catastrophic. |
| Web server in DMZ | Only the DMZ. Internal LAN protected by inner firewall. Containment. |
The naming history:
"DMZ" comes from the Korean DMZ — the buffer strip between North and South Korea (no military presence). In networking, it's a buffer zone between hostile territory (Internet) and home territory (LAN).
The "many definitions" warning:
As is often noted: "Heutzutage gibt es viele verschiedene Definitionen im Internet, einige davon sind jedoch falsch (oder zumindest verwirrend)."
Some confusing alternative meanings you'll encounter:
- "DMZ port" on a SOHO router: usually means "expose this device fully to the Internet" — the opposite of a true DMZ (no protection at all).
- "Internal DMZ": a security zone inside the company for less-trusted segments (e.g., guest WiFi).
The classic, correct definition:
DMZ = network between the protected network (inside) and the external network (outside).
The two flavors of DMZ implementation:
| Architecture | Notes |
|---|---|
| Single firewall, three legs | One FW with WAN, DMZ, LAN interfaces. Cheap, simpler — but a single FW compromise exposes everything |
| Two firewalls (back-to-back) | One FW between Internet and DMZ, another between DMZ and LAN. Higher security — different vendors makes a single-vendor exploit insufficient |
Tip: The two-firewall architecture is sometimes called "screened subnet" or "dual-firewall DMZ." Best practice for high-security environments is to use different vendors for the two firewalls (e.g., Palo Alto outside, Fortinet inside) — so a single zero-day doesn't compromise both layers.
Go deeper:
DMZ (computing) — Wikipedia — diagrams both the single three-legged firewall and the dual-firewall "screened subnet" architectures.