Understanding DMZ

Posted on 2004-10-07
Medium Priority
Last Modified: 2008-01-09
Hi Experts,

Just wondering could anybody explain DMZ to me, I know what it stands for but what is the point of it and what does it do.
And why would i need one.

Question by:belronan
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2
LVL 71

Accepted Solution

Chris Dent earned 1000 total points
ID: 12250549
DMZ - Demilitarized Zone

When talking about networking this is a very secure section of your network where as little as possible is allowed. The most common uses for something like this would be Web Services (whether that's e-mail relays or web servers).

As an example, a basic DMZ setup:

                                      The Internet (with a couple of hackers)
                                                    Company Firewall    --------    Web Server
                                                     Internal Network

Then you have some (basic) rules in place to protect that bit of your network:

Allow Traffic on Port 80 from The Internet to the Web Server
Block everything else from The Internet
Allow Traffic on Port 80 from the Internal Network to the Web Server
Allow Traffic on <Some Remote Admin Port> from the Internal Network to the Web Server
Block Everything Else

So now you have a nice little part of your network that almost no one can get to except on the things you really want them to. Nothing at all from outside can get to your nice safe internal network and mess things up there.

Author Comment

ID: 12250675
Cheers Mate,

So is it in sense kinda like port forwarding then.
LVL 71

Expert Comment

by:Chris Dent
ID: 12251445

In a sense, although the overall design isn't restricted to just Port Forwarding since it also involves IP Routing as a whole.

For instance, the web server might have a public IP Address in that instance and the Firewall used to just restrict access to that IP. Equally it might use Port Forwarding and hide behind another IP address entirely.

A lot of how it is set up depends on the Hardware you're using as well as what you're trying to make publicly available.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 12252279
It's very common to use a DMZ for any/all 'publicly accessible' boxes (web servers, ftp box, etc.) and then only allow specific traffic from the Internet to those boxes.  If someone is able to get in and hack your web server, for instance, they'll be locked into that DMZ network *and should NOT* have access to your corp/internal network.  Essentially, a DMZ is a way to get boxes behind your firewall, but NOT have them on your corporate network.  

With that in mind, you could have many, many DMZs if you so desired.

LVL 15

Expert Comment

ID: 12252520
although that is a popular setup, the true origins of "DMZ" refer to computers that are connected to the internet without any firewall in front of them.  Web Servers, Mail Servers, IDS, etc... are usually put in DMZs because you have to open up access to the public.

Nowadays, routers and firewalls have DMZ ports, that "basically" allow total communication with the internet but alos do tracking.  It's similiar to port forwarding, but in a way.. it's also the opposite.  Port forwarding has to do with Network Address Translation where a single public IP would represent multiple services.  depending on the port, a NAT device would forward the request to a particular computer.

With DMZ, all ports are open all the time.  So no matter what the request, it gets forwarded to the same computer.  This makes NAT useless, and "port forwarding" not completely accurate.
LVL 15

Expert Comment

ID: 12252553
>>When talking about networking this is a very secure section of your network where as little as possible is allowed.

This is wrong.  A demilitarized zone has very little security, and is removed from your network segment both physically and logically as a result.
LVL 71

Expert Comment

by:Chris Dent
ID: 12252598

The use and configuration of DMZ areas has changed over time somewhat. It is completely accurate to say it used to be an area with next to no security. But I personally haven't seen anywhere set-up like that for years, especially not after things like NetSky started flying around.

The main difference between a DMZ and the Private network these days tends to be that the DMZ is the only section that allows users from the Internet inside. It remains a good idea to only allow the minimum access to that section.

Perhaps in that respect DMZ is a bit of a misleading term?

Expert Comment

ID: 12255680
It mainly use for keeping local network and public accessable servers saperatly to protect the internal network from public access.

Author Comment

ID: 12256926
Thanks all,

So im currently using port forwarding to access my Outlook web access and also occasionally my terminal server, so i should really put these two boxes in front of my firewall???

But then how do i connect them to my local network or do these boxes have to be closed off boxes that i would rarely if ever be updating.

LVL 71

Expert Comment

by:Chris Dent
ID: 12256974
For Outlook / Exchange Microsoft supply the Front-End / Back-End Servers. Of course there is the additional cost of an extra server with an extra copy of Exchange etc. But this is on the only way Exchange will let you have a more secure version in a DMZ. Exchange is too reliant on Active Directory to be moved outside the LAN otherwise.

For the Terminal Server, have you considered some kind of VPN type connection rather than opening it up completely?

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question