A DMZ is a separate network segment used to add extra security between a corporate network and the public internet. It is commonly used for public-facing servers and can be configured using NAT. However, it may be vulnerable to attacks and other methods such as port forwarding are recommended.
A demilitarized zone (DMZ) is a network segment that is separate from other networks. Many organizations use them to separate their local area networks (LANs) from the Internet. This adds extra security between their corporate network and the public internet. It can also be used to separate a particular machine from the rest of a network by moving it outside the protection of a firewall.
Frequent Uses
The common elements that go into a DMZ are public-facing servers. For example, if an organization maintains its website on a server, that web server could be located on a “Demilitarized Zone” computer. That way, if a malicious attack compromises your machine, the rest of your corporate network remains safe from harm. Someone can also place a computer on a DMZ outside a network to check for connectivity issues created by a firewall protecting the rest of the system.
Router configuration and functionality
When connecting a LAN to the Internet, a router provides a physical connection to the public Internet, and firewall software provides a gateway to prevent malicious data from entering the network. A port on the firewall often connects to the network using an internal address, allowing traffic sent by individuals to reach the Internet. Another port is usually configured with a public address, which allows Internet traffic to reach the system. These two ports allow incoming and outgoing data to communicate between the network and the Internet.
Purpose of a demilitarized zone
In creating a DMZ, an organization adds another network segment or subnet that is still part of the system, but is not directly connected to the network. Adding a DMZ makes use of a third interface port on the firewall. This setup allows the firewall to exchange data with both the general network and the isolated machine using Network Address Translation (NAT). The firewall usually does not protect the isolated system, allowing it to connect more directly to the Internet.
NAT functionality
Network Address Translation allows you to route data received on a particular port or interface to a specific network. For example, when someone visits an organization’s website, their browser is sent to the server hosting the site. If this organization maintains its web server in a DMZ, the firewall knows that all traffic sent to the address associated with its website must go to the server located in the DMZ, rather than directly into the organization’s internal network.
Disadvantages and other methods
Since the DMZ computer is located outside the firewall protection, it may be vulnerable to attacks by malicious programs or hackers. Businesses and individuals should not store sensitive data on this type of system and know that such a machine has the potential to break down and “attack” the rest of the network. Many network professionals recommend “port forwarding” for people who are having network or connection problems. This provides specific, targeted access to certain network ports, without completely opening up a system.
Protect your devices with Threat Protection by NordVPN
