Skip to main content


Home Demilitarized zone

Demilitarized zone

(also DMZ)

Demilitarized zone definition

A demilitarized zone (DMZ) is a network segment (or zone) that sits between an organization's internal network and the external network, like the internet. The purpose of a DMZ is to provide a layer of security by isolating the internal network while still allowing certain types of traffic to pass through. A DMZ typically contains servers or other devices that need to be accessible from outside the internal network. By placing them in the DMZ, organizations can grant external users access without allowing them to connect directly to the internal network, which could potentially compromise security.

See also: sandboxing, network access control

How do DMZs protect organizations?

  • Isolation. By placing servers and other devices that need to be accessed from the internet in the DMZ, organizations can prevent external attackers from gaining direct access to the internal network, which could potentially compromise security.
  • Traffic filtering. Traffic that is meant for the DMZ is routed through the external firewall, which only allows certain types of traffic to pass through. This can include filtering by protocol, source IP address, or port number. This helps prevent unauthorized traffic from reaching the DMZ and potentially compromising the servers or devices located there.
  • Limited access. By only allowing certain types of traffic to pass through the external firewall, organizations can limit the number of potential attack vectors. For example, if the DMZ only allows HTTP traffic to reach a web server, an attacker would not be able to use other protocols, such as SSH or FTP, to gain access to the server.
  • Monitoring. Because the DMZ is a separate network segment, it is easier to monitor traffic to and from the servers or devices located there. This helps organizations detect and respond to potential security incidents more quickly.