Self-paced

Explore our extensive collection of courses designed to help you master various subjects and skills. Whether you're a beginner or an advanced learner, there's something here for everyone.

Bootcamp

Learn live

Join us for our free workshops, webinars, and other events to learn more about our programs and get started on your journey to becoming a developer.

Upcoming live events

Learning library

For all the self-taught geeks out there, here is our content library with most of the learning materials we have produced throughout the years.

It makes sense to start learning by reading and watching videos about fundamentals and how things work.

Search from all Lessons

Login
← Back to Lessons

Demilitarized Zone (DMZ)

Topology of a typical DMZ
  • Two security principles:
Key features of a DMZ
Advantages of a DMZ
Disadvantages of a DMZ

A Demilitarized Zone (DMZ) in computer networks is a physical or logical network that exposes an organization's external services to an untrusted network, usually the Internet. The purpose of a DMZ is to add a layer of security to an organization's internal network, protecting it from unauthorized access.

This network isolates the services that you want to keep available over the Internet and separates the services from the internal network. If these services were on the internal network, any attack could compromise the entire network.

Topology of a typical DMZ

DMZ

Robustness will depend on which firewall is selected and how well it is configured.

Two security principles:

  • Defense in depth, attacks must be able to successfully attack the router first, then the firewall.
  • Diversity of defense: The firewall and the router are separate.

Dual DMZ topology: consists of two DMZs, the external DMZ with elements that are less attackable and the internal DMZ.

DMZ typology

It is important to carefully select the two firewalls and decide which services will be placed in the external and internal DMZ. This architecture can present administration difficulties. In the case of mobile devices, a firewall does not guarantee data protection because when these devices connect to external networks they are not protected by the firewall and are susceptible to compromise. If a compromised mobile device reconnects to the organization's network, it can be a gateway for the attacker and a source of infection for the rest of the computers in the network.

Key features of a DMZ

  1. Network Separation: The DMZ is separated from both the secure internal network (LAN) and the external network (Internet). This separation is usually accomplished using one or more firewalls.

  2. Public Services Location: Services that need to be accessible from the Internet, such as web servers, email servers, FTP servers, and DNS servers, are placed in the DMZ. This reduces the risk that an attacker can directly access the internal network from the Internet.

  3. Layers of Security: An external firewall controls traffic between the Internet and the DMZ, while an internal firewall controls traffic between the DMZ and the internal network. This multi-layered design provides greater security since compromising the DMZ does not necessarily give access to the internal network.

  4. Restricted Access: Devices and services in the DMZ have limited access to the internal network, and generally only allow communications initiated from the internal network to the DMZ, not the other way around.

Advantages of a DMZ

  1. Increased Security: It isolates public services from the rest of the network, reducing the risk of a vulnerability in one of these services exposing the internal network.

  2. Attack Mitigation: Provides a controlled area where attackers can be detected and mitigated before they can gain access to more sensitive data on the internal network.

  3. Facilitates Compliance: Many security regulations recommend or require the use of a DMZ to protect sensitive data and meet security standards.

Disadvantages of a DMZ

  1. Complexity of Implementation: Setting up and maintaining a DMZ requires careful planning and additional resources.

  2. Costs: Implementing a DMZ can increase costs due to the need for additional hardware (firewalls, servers) and specialized personnel to manage the infrastructure.

In summary, a DMZ is a security strategy that helps protect an organization's internal network by creating an isolated zone for externally accessible services.