A demilitarized zone (DMZ) is a computer network with security-controlled access to the servers connected to it.
The systems installed in the DMZ are shielded from other networks (e.g. Internet, LAN) by one or more firewalls. This separation allows access to publicly accessible services (bastion hosts with e.g. e-mail, WWW) and at the same time protects the internal network (LAN) from unauthorized access from outside. The purpose is to provide the most secure possible services of the computer network to both the WAN (Internet) and the LAN (intranet). A DMZ develops its protective effect by isolating a system from two or more networks.
Many of the research workers recommend a two-stage firewall concept for the Internet in its IT baseline protection catalogues. In this case, a firewall separates the Internet from the DMZ, and another firewall separates the DMZ from the internal network. As a result, a single vulnerability does not immediately compromise the internal network. Ideally, the two firewalls are from different manufacturers, otherwise one known vulnerability would be enough to overcome both firewalls.
The filtering functions can certainly be taken over by a single device; in this case, the filtering system needs at least three network connections: one for each of the two network segments to be connected (e.g. WAN and LAN) and a third for the DMZ. Even though the firewall protects the internal network from attacks by a compromised server from the DMZ, the other servers in the DMZ are directly vulnerable until further protection measures are taken. This could be, for example, segmentation in VLANs or software firewalls on the individual servers that drop all packets from the DMZ network.
A connection should always be established from the internal network to the DMZ, never from the DMZ to the internal network. A common exception to this is access from the DMZ to database servers on the internal network. As a last resort, the firewall administrator usually watches over this principle before the rule is activated. As a result, the risk potential of a compromised server in the DMZ is largely reduced to attacks:
- to the inner firewall directly
- to other servers in the same DMZ
- about security vulnerabilities in administration tools such as Telnet or SSH and
- on connections that have been established regularly in the DMZ.
Some home routers mistakenly refer to the configuration of an exposed host as a “DMZ”. You can specify the IP address of a computer in the internal network to which all packets from the Internet are forwarded that cannot be assigned to another recipient via the NATs table. This means that the host can be reached (even for potential attackers) from the Internet. Port forwarding of the ports actually used is preferable to this – if possible.
It depends on the specific configuration of the firewall whether port forwarding to other computers is taken into account first and only then the exposed host, or whether the exposed host renders port forwarding to other computers ineffective.
The dirty DMZ or dirty net is usually the network segment between the perimeter router and the firewall of the (internal) LAN. From the outside, this zone has only the limited security of the perimeter router. This version of the DMZ is less of an obstacle to data transfer, as the incoming data only needs to be filtered simply (perimeter router).
A protected DMZ is a DMZ that is connected to the firewall’s own LAN interface. This DMZ has the individual security of the firewall. Many firewalls have multiple LAN interfaces to set up multiple DMZs.