What is the real function and use of a DMZ on a network?

  • I read the article on Wikipedia describing what a DMZ (demilitarized zone) is on a network, but am still failing to grasp both how it is set up (ie: is it within the main network or sequestered away?) and what its benefits and uses are. Can anyone explain to me why I'd like to have a DMZ on my network, given the following setup:

    1. I have around 10 client computer devices on the network, some of which host SSH.
    2. I have a single server which hosts SSH, HTTP, and a few other publicly accessible services.

    For this given use-case, how would I plug in a DMZ, and what would be the benefits?

    Several DMZ's could separate users on separated ports?? Or it's better to use VLAN's? Which one to use if someone wants to separate the computers on LAN from each other, but still give access to the Internet (for the clients on separated ports)?

  • john

    john Correct answer

    10 years ago

    Reasons why you want a DMZ and the benefits it offers. The general idea is that you put your public faced servers in the "DMZ network" so that you can separate them from your private, trusted network. The use case is that because your server has a public face, it can be remotely rooted. If that happens, and a malicious party gains access to your server, he should be isolated in the DMZ network and not have direct access to the private hosts (or to a database server for example that would be inside the private network and not on the DMZ).

    How to do it: There are several ways, but the 'book example' is by utilizing two firewalls (of course you can achieve the same result with one firewall and smart configuration, although hardware isolation is nicer). Your main firewall is between internet and the server and the second firewall between the server and the private network. On this second firewall, all access from the server to the private network ideally would be forbiden (of course it would be a statefull firewall so if you initiate a connection from the private network to the server it would work).

    So, this is a fairly high level overview of DMZ. If you want more technical details please edit your question accordingly.

    Quick question! Can a DMZ virtual machine could technically exist without a PUBLIC IP? or does this question make no sense (eg: if it doesn't become a DMZ machine unless it has a public IP etc)

    Absolutely makes sense, and extremely common. For example a Database would exist in the DMZ for your web server in the DMZ that is publicly accessible. But that database would be shielded from remote public connections, and only people on the trusted private network could reach the database.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM