introduction
A DMZ (De-Militarised Zone) in the geographical world is a stretch of land that keeps enemy armies apart. In the Internet world a DMZ is a stretch of network that lies between an untrusted network and a trusted network. Network administrators build DMZs between the Internet, with all its chaos and bad boy hackers, and the enterprise network with all its vulnerable communications and data stores.
A DMZ is also called a perimeter network.
what it is
The idea of a zone is pretty vague. Take a region of something, split it into areas defined by their distinctive features, and those areas are called zones. Geologists define planetary zones, doctors prod anatomical zones and town planners play with city zones. Data center zones are made by nerds.
| LIC topology: a request relayed by a proxy |
|---|
 |
A DMZ is handy for keeping strangers out of the trusted network. Any computer that can be accessed from the Internet is vulnerable to attack. If an attack succeeds in breaking a service in the trusted network, you have a big problem. The solution to this problem is to not allow direct access to any service in the trusted network. Instead a network administrator can create a DMZ and put a few proxy servers in it. A proxy server is a kind of request relay: it requests services from the trusted network on behalf of a client. The administrator uses a firewall to secure the connection between the DMZ and the trusted network.
Visitors can only directly access the services on a host in the DMZ. The DMZ servers can access the trusted network.
A DMZ is defined using routing rules. It can be created using a router with three interfaces: one is connected to the untrusted network, one to the DMZ and one to the firewall protecting the trusted network. Most home network routers look like this.
The sequence of events that happens when an Internet client makes a request is a lot more complicated with a DMZ. The old-school version of client/server communication before the days of DMZs went like this.
- A request is sent by an Internet client.
- The request arrives at an Internet server.
- The server replies.
Some people set up a DMZ containing a router and a proxy server in between the client and the server. The communication goes like this.
| steps of a request passing through a DMZ |
|---|
 |
- A request is sent by an Internet client.
- The router diverts it to the DMZ.
- A proxy server in the DMZ receives the request.
- The proxy server makes a new request and sends it to a service in the trusted network.
- The router sends the request coming from the DMZ network to the firewall.
- If the firewall is in a good mood it lets the request enter the public network.
- A server in the enterprise network receives the request.
- The server answers the request.
- The reply works its way back through the firewall to the proxy.
- The proxy forwards the answer through the router and back to the client.
There is a variation on this theme. The proxy server keeps a cache of information so it can often answer a request itself. This makes communication a bit simpler and faster because it knocks off a bit of the extra communication.
- A request is sent by an Internet client.
- The router diverts it to the DMZ.
- A proxy server in the DMZ receives the request.
- It tries to answer the request itself and hooray! it can.
- the answer passes through the router and back to the client.
what it isn't
A LAN. A DMZ contains one or more LANs.
The Korean DMZ, the scariest place on earth. This temporary border between North Korea and South Korea has been around for 50 years. The Korean War never officially ended: if the many hundreds of thousands of troops stationed on either side of this strip of land get trigger happy, USA automatically returns to war.
where it is
A home network sometimes contains one DMZ. The LIC contains three DMZs. Business enterprise networks may contain dozens.
