Please help improve this article or section by expanding it. Further information might be found on the talk page or at requests for expansion. This article has been tagged since March 2007.

Diagram of a typical network employing DMZ using a three-legged firewall

In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an organization's internal network and an external network, usually the Internet. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network — hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to both the internal and external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end. Image File history File links Wiki_letter_w. ... Image File history File links No higher resolution available. ... Image File history File links No higher resolution available. ... This article describes how security can be achieved through design and engineering. ... Computer networks redirects here. ... A graphic representation of relationships and source of the various variables representing a chunk of C subnets In computer networks, a subnetwork or subnet is a range of logical addresses within the address space that is assigned to an organization. ...

The DMZ is typically used for connecting servers that need to be accessible from the outside world, such as e-mail, web and DNS servers. Wikipedia does not yet have an article with this exact name. ... WWWs historical logo designed by Robert Cailliau The World Wide Web (or the Web) is a system of interlinked, hypertext documents that runs over the Internet. ... “DNS” redirects here. ...

Connections from the external network to the DMZ are usually controlled using port address translation (PAT). Port Address Translation (PAT) is a feature of a network device that translates TCP or UDP communications made between a host and port on an outside network, and a host and port on an inside network. ...

A DMZ is often created through a configuration option on the firewall, where each network is connected to a different port on the firewall - this is called a three-legged firewall set-up. A stronger approach is to use two firewalls, where the DMZ is in the middle and connected to both firewalls, and one firewall is connected to the internal network and the other to the external network. This helps prevent accidental misconfiguration, allowing access from the external network to the internal network. This type of setup is also referred to as screened-subnet firewall. It has been suggested that network layer firewall be merged into this article or section. ... The introduction to this article provides insufficient context for those unfamiliar with the subject matter. ...

Network Zone Colors

As shown in the diagram, networks get assigned one of three colors:

• red = untrusted, usually the Internet.
• green = semi-trusted, the DMZ
• blue = trusted, the local network

These colored zones, delimit where firewalling is applied. Of course additional firewalling might be applied, especially at end hosts, at the departmental level , or other administrative boundaries.

DMZ host

Some home routers refer to a DMZ host. A home router DMZ host is a host on the internal network that has all ports exposed, except those ports forwarded otherwise. A large core router used for major networks. ...

This is not a true DMZ by definition since these pseudo DMZs provide no security between that host and the internal network. That is, the DMZ host is able to connect to hosts on the internal network, but hosts in a real DMZ are prevented from doing so by the firewall that sits between them. It has been suggested that network layer firewall be merged into this article or section. ...

See also

• Bastion host
• Internet Firewalls