What is the difference between a DMZ and Zone?

Calling all security pros:  What are the requirements that make a DMZ a DMZ?  If I stand up a server in a segmented network exposed to untrusted with only the ports open that are absolutely necessary? How is that any different than opening ports in the firewall to an internal server other than segmenting the server from other servers?

I know what a DMZ is but don't quite understand what are the different pieces that make a complete DMZ solution or DMZ best practices?  Isolate from internal systems by doing more than just putting the server on it's own subnet?  Is there specific firewall requirements that make it a 'DMZ' ? How is a DMZ different from an application zone?

Thanks in advance!!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

By putting something in a DMZ you're not just protecting that server; you're also protecting your internal network. If someone does manage to gain access to the outside-facing server and it's in a LAN with other stuff, that server will have full access to the other stuff. By isolating it you limit that access only to what's allowed.

It is basically just isolating it, whether with a firewall or just using an access list.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave HoweSoftware and Hardware EngineerCommented:
DMZ is a term borrowed from military practice - it is a network that has some protection from the internet, but which you don't actually trust enough to give access to the local network - so it acts as a semi-trusted area to store things like webservers, so if the webserver is compromised, they must still get past a firewall to get to your actual network. In the Cisco world, it used to be that the lan had a trust value of "100" and the internet a trust value of "0" - the DMZ had (sensibly enough) a trust value of "50" so was less trusted than the lan, but more trusted than the internet.

Zone based firewalling is an extension of the same idea, but instead of having just three zones, you have have many, and define exactly how the traffic between each zone is controlled on a zone-pair basis.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.