DMZ (Demilitarized Zone)

A DMZ (Demilitarized Zone) is a network segment that sits between your internal network and the Internet. It hosts services that must be accessible from the outside world while keeping them isolated from everything you actually care about.

The name comes from military history—the strip of land between hostile territories where nobody builds anything they can't afford to lose. That's exactly what this is. Your web server sits in no-man's land.

The Problem DMZs Solve

Organizations need to run Internet-accessible services: web servers, email servers, DNS servers. These services must accept connections from anyone on the Internet, which means they're perpetually under attack.

You have two bad options without a DMZ:

Put these servers on your internal network. Now when your web server gets compromised—and given enough time, it will—the attacker is already inside. They're on the same network as your file servers, databases, and accounting systems. Game over.

Put these servers directly on the Internet with no internal connection. Now they're completely exposed with no defense in depth, and you can't easily manage them or connect them to backend systems they need.

The DMZ creates a third option: a zone that's more exposed than your internal network but more protected than raw Internet. You're not protecting these servers. You're sacrificing them. When they fall, your real assets survive behind the second wall.

How DMZ Architecture Works

The classic DMZ uses two firewalls:

The external firewall sits between the Internet and the DMZ. It allows public access to specific services—ports 80 and 443 for web servers, port 25 for mail—while blocking everything else. This firewall faces the chaos of the Internet.

The internal firewall sits between the DMZ and your internal network. This is the wall that matters. It strictly controls what DMZ systems can reach internally. A compromised web server might need to query a database on port 3306. It gets that access and nothing else. No access to file servers. No access to workstations. No lateral movement.

When an attacker compromises a DMZ server, they've won a battle but not the war. They control one server in a hostile zone with nowhere to go. The internal firewall still stands between them and anything valuable.

Modern implementations often use a single firewall with three interfaces—Internet, DMZ, and internal—with strict policies controlling traffic between zones. Same security, simpler infrastructure.

What Belongs in the DMZ

Anything that must accept connections from the Internet:

• Web servers hosting public sites or applications
• Email servers receiving mail from the Internet
• DNS servers answering public queries
• VPN concentrators accepting remote connections
• API gateways exposing services to external consumers

What doesn't belong: internal file servers, databases (except those directly supporting DMZ services), workstations, administrative systems. These stay on internal networks, protected by both firewalls.

The Access Control Rules

Firewall policies for DMZs follow strict patterns:

Internet → DMZ: Allow only the specific ports each server needs. The web server gets 80 and 443. The mail server gets 25. Everything else is denied.

DMZ → Internet: Allow DMZ servers to make necessary outbound connections—software updates, DNS queries. Some organizations restrict this further.

DMZ → Internal: This is where security lives or dies. Allow only specifically required connections. The web server talks to the database on port 3306. Period. It cannot touch workstations, file servers, or anything else.

Internal → DMZ: Allow internal users to manage DMZ servers and access their services.

The principle: DMZ servers are treated as compromised even before they're compromised. They get the minimum access required to function.

Bastion Hosts

A bastion host is a hardened system in the DMZ designed specifically to withstand attack. It often serves as a jump box—administrators connect to the bastion first, then use it to reach other systems.

This creates a choke point. All administrative access flows through one monitored, logged, heavily secured entry point. The bastion runs minimal services, gets patched aggressively, requires multi-factor authentication, and logs everything.

If someone's accessing DMZ servers, you want to know about it. The bastion makes that surveillance possible.

DMZs in Cloud Environments

Cloud architectures implement DMZ concepts without physical firewalls:

Public-facing instances sit in public subnets with Internet gateways. Application and database tiers occupy private subnets with no direct Internet access. Security groups control traffic between tiers with the same rigor as firewall rules.

The topology is virtual, but the principle is identical: Internet-exposed systems isolated from internal resources, with strict controls on what can talk to what.

Where DMZ Security Fails

The DMZ only works if you maintain discipline:

Overly permissive DMZ-to-internal rules defeat the entire purpose. If your web server can reach your file server "just in case," you've eliminated the buffer zone. When the web server falls, so does everything it can reach.

Putting systems in the DMZ that don't need to be there expands your attack surface for no benefit. If it doesn't need Internet access, it doesn't belong in the DMZ.

Inadequate monitoring means you won't know when a DMZ server is compromised. These systems face constant attack. Watch them.

Treating DMZ servers as trusted leads to giving them access they don't need. They're in the sacrificial zone for a reason.

DMZ as One Layer

The DMZ limits damage from compromise. It doesn't prevent compromise.

Your web server still needs hardening, patching, application security, and intrusion detection. The DMZ means a successful attack stops at the second firewall instead of giving access to your entire network.

Internal networks need their own security. The DMZ protects against compromised public servers, not insider threats or compromised workstations.

Defense in depth uses DMZ segmentation alongside everything else: firewalls, intrusion prevention, endpoint protection, access controls, monitoring. Each layer catches what the others miss.