LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is a DMZ (Demilitarized Zone), and where do public-facing servers belong?

A DMZ is a separate network segment between the trusted internal network and the untrusted Internet. Servers reachable from the Internet (web, email, DNS) live here — never in the internal network — so that compromising them doesn't directly expose the internal LAN.

The classic DMZ concept:

[Internet] ←→ [Firewall] ←→ [DMZ: Web/Mail/DNS Servers]
                ↑↓
              [Internal LAN: workstations, file servers, AD]

The threat model:

If an attacker compromises your web server, what can they reach?

Architecture Attacker reaches
Web server in internal LAN Internal LAN → file servers, DC, every workstation. Catastrophic.
Web server in DMZ Only the DMZ. Internal LAN protected by inner firewall. Containment.

The naming history:

"DMZ" comes from the Korean DMZ — the buffer strip between North and South Korea (no military presence). In networking, it's a buffer zone between hostile territory (Internet) and home territory (LAN).

The "many definitions" warning:

As is often noted: "Heutzutage gibt es viele verschiedene Definitionen im Internet, einige davon sind jedoch falsch (oder zumindest verwirrend)."

Some confusing alternative meanings you'll encounter:

  • "DMZ port" on a SOHO router: usually means "expose this device fully to the Internet" — the opposite of a true DMZ (no protection at all).
  • "Internal DMZ": a security zone inside the company for less-trusted segments (e.g., guest WiFi).

The classic, correct definition:

DMZ = network between the protected network (inside) and the external network (outside).

The two flavors of DMZ implementation:

Architecture Notes
Single firewall, three legs One FW with WAN, DMZ, LAN interfaces. Cheap, simpler — but a single FW compromise exposes everything
Two firewalls (back-to-back) One FW between Internet and DMZ, another between DMZ and LAN. Higher security — different vendors makes a single-vendor exploit insufficient

Tip: The two-firewall architecture is sometimes called "screened subnet" or "dual-firewall DMZ." Best practice for high-security environments is to use different vendors for the two firewalls (e.g., Palo Alto outside, Fortinet inside) — so a single zero-day doesn't compromise both layers.

Go deeper:

From Quiz: INTROL / Firewall Fundamentals | Updated: Jul 14, 2026