In network security, a demilitarized zone (DMZ) functions as a subnetwork on an organization’s network infrastructure that is located between the protected internal network and an untrusted network often the internet.
The DMZ is designed where there is one inside interface connected to the private network, and one outside interface connected to the public network.
The goal of a DMZ is to add an extra layer of security to an organization’s network. A protected and monitored network node that faces outside the internal network can access what is exposed in the DMZ, while the rest of the organization’s network is safe behind a firewall.
It gives organizations extra protection in detecting and mitigating security breaches before they reach the internal network, where valuable assets are stored.
This allows hosts in the protected network to interact with the internal and external network, while the firewall separates and manages all traffic shared between the DMZ and the internal network. An additional firewall will be responsible for protecting the DMZ from exposure to everything on the external network.
As shown in the figure below.
Traffic originating from the private network is inspected as it travels toward the public or DMZ network. This traffic is permitted with little or no restriction. Inspected traffic returning from the DMZ or public network to the private network is permitted.
Traffic originating from the DMZ network and traveling to the private network is usually blocked.
Traffic originating from the DMZ network and traveling to the public network is permitted based on service requirements.
Traffic originating from the public network and traveling toward the DMZ is permitted and inspected. This type of traffic is email, DNS, HTTP, or HTTPS traffic. Return traffic from the DMZ to the public network is permitted.
Traffic originating from the public network and traveling to the private network is blocked.