A DMZ (Demilitarized Zone) is a neutral network or zone between the private network and the public network or the Internet. The main function of a DMZ is to isolate public services offered to the outside from the resources in the private network. The LAN resources must be hidden from the outside and protected by the firewall with an additional layer of security. The DMZ assigns different levels of trustworthiness to networks and the firewall acts as a border and checkpoint between these networks.
When configuring a firewall, at least three types of networks can be distinguished, according to the level of trustworthiness assigned to them.
- WAN: An external network, for example the Internet. This has the lowest trust level.
- LAN: This is the internal, private or local network. A firewall should protect this zone against threats from other zones.
- DMZ: Demilitarized Zone. It is conceptually between a WAN and a LAN.
Normally, there is a WAN and a LAN. From there, more networks of each type can be added to isolate them. There can be as many DMZs and levels of trustworthiness as necessary.
The most common way of configuring the DMZ is to place servers in them (HTTP, SMTP, DNS, etc.) that offer services to the outside and even the proxy server through which LAN users access the Internet.
With the correct levels of trustworthiness, if the firewall is configured to only allow access from the LAN to the DMZ and not vice-versa, (the hosts in the DMZ cannot start sessions with the LAN, unless they belong to sessions already established) a user can only access the servers in the DMZ from the public zone. By doing this, even if the security of a certain server is compromised, the security of the LAN is guaranteed at all times.