the Internet DMZ (DeMilitarized Zone)

Primary tabs


A DMZ is a stretch of network that lies between an untrusted network and a trusted network. It contains services used by Internet customers. Keeping customer services seperate from other network services helps network security.

The LIC lies between the Internet, the big daddy of untrusted networks and the enterprise network which is trusted. Customer services are contained in one internet DMZ. This is partly to protect the enterprise network and partly to protect its own services.

what it is

LIC topology: the Internet DMZ
This oval is the DMZ. It contains services that Internet customers can use.

The Internet is an untrusted network and the enterprise network is trusted (more or less). The LIC is a network that lies between the Internet, with all its chaos and bad boy hackers, and the enterprise network with all its vulnerable communications and data stores.

Allowing the public to use a service is a security risk. Any service connected to the Internet suffers regular attempts to crack it. If a service is successfully cracked, the network where the service is located is attacked. Reomving a public service from the trusted network and putting it in a DMZ lessens the vulnerability of the trusted network.

LIC services are contained in the internet DMZ. This one DMZ contains web servers, data stores, business logic and so on.

There is no restriction on how many DMZs are added to a network. An enterprise usually puts services in many DMZs. here are four common ones.

  • An e-mail DMZ contains mail services, postboxes, virus scanners and spam checkers.
  • A public DMZ contains everything needed to present a web site to the outside world: computers, operating systems, web servers and website content.
  • A private DMZ contains everything needed to present a web site to the enterprise. It is similar to the public DMZ. It also contains all the administration servers that the support team use to control the LIC.
  • A business logic DMZ contains everything needed to make business decisions: business logic servers, databases, application servers and more computers and operating systems.

a firewall makes DMZs

A firewall does the job of making a DMZ work. A firewall guards the path from the nasty Internet to the delicate unprotected enterprise network. This firewall redirects all requests from the Internet off down the route to the DMZ.

The DMZ is also protected from the enterprise network by the firewall, even though it is the trusted network. If you don't believe these services need to be protected from the enterprise because it is a trusted network, try reading up on computer crime.

what it isn't

A DMZ (De-Militarised Zone) in the network world is not an area between two countries where no military activity is supposed to take place.