DMZ Network: What Is a DMZ & How Does It Work?

DMZ Network: What Is a DMZ & How Does It Work?

Thousands of businesses across the globe save time and money with Okta. Find out what the impact of identity could be for your organisation.

DMZ Network: What Is a DMZ & How Does It Work?

Learn why Top Industry Analysts consistently name Okta and Auth0 as the Identity Leader

A demilitarised zone network, or DMZ, is a subnet that creates an extra layer of protection from external attack.

Network administrators must balance access and security. Your employees must tap into data outside of the organisation, and some visitors need to reach into data on your servers. But some items must remain protected at all times. 

A DMZ network could be an ideal solution. Use it, and you'll allow some types of traffic to move relatively unimpeded. But you'll also use strong security measures to keep your most delicate assets safe.

What Is a DMZ Network?

The internet is a battlefield. Some people want peace, and others want to sow chaos. The two groups must meet in a peaceful centre and come to an agreement. When developers considered this problem, they reached for military terminology to explain their goals. 

In military terms, a demilitarised zone (DMZ) is a place in which two competing factions agree to put conflicts aside to do meaningful work. A strip like this separates the Korean Peninsula, keeping North and South factions at bay.

A DMZ network, in computing terms, is a subnetwork that shears public-facing services from private versions. When implemented correctly, a DMZ network should reduce the risk of a catastrophic data breach. Public-facing servers sit within the DMZ, but they communicate with databases protected by firewalls. 

In 2019 alone, nearly 1,500 data breaches happened within the United States. Sensitive records were exposed, and vulnerable companies lost thousands trying to repair the damage. 

While a network DMZ can't eliminate your hacking risk, it can add an extra layer of security to extremely sensitive documents you don't want exposed.

 

DMZ Network

Sample DMZ Networks

Any network configured with a DMZ needs a firewall to separate public-facing functions from private-only files. But developers have two main configurations to choose from. 

Single Firewall DMZ Network 

This configuration is made up of three key elements.

  1. Firewall: Any external traffic must hit the firewall first.
  2. Switches: A DMZ switch diverts traffic to a public server. An internal switch diverts traffic to an internal server. 
  3. Servers: A public and private version is required. 

Configure your network like this, and your firewall is the single item protecting your network. Switches ensure that traffic moves to the right space. 

A single firewall with three available network interfaces is enough to create this form of DMZ. But you'll need to create multiple sets of rules, so you can monitor and direct traffic inside and around your network. 

Dual Firewall DMZ Network 

Is a single layer of protection enough for your company? If