What Is a DMZ and Why Would You Use It? | Fortinet

A demilitarized zone (DMZ) is a perimeter network that protects an organization's internal local area network (LAN) from untrusted traffic. A DMZ ensures a ... Skiptocontent Skiptonavigation Skiptofooter DMZ FortinetNamedaLeaderinthe2021Gartner®MagicQuadrant™forNetworkFirewalls WhatisaDMZNetwork? ADMZNetworkisaperimeternetworkthatprotectsandaddsanextralayerofsecuritytoanorganization’sinternallocal-areanetworkfromuntrustedtraffic.AcommonDMZisasubnetworkthatsitsbetweenthepublicinternetandprivatenetworks. TheendgoalofaDMZistoallowanorganizationtoaccessuntrustednetworks,suchastheinternet,whileensuringitsprivatenetworkorLANremainssecure.Organizationstypicallystoreexternal-facingservicesandresources,aswellasserversfortheDomainNameSystem(DNS),FileTransferProtocol(FTP),mail,proxy,VoiceoverInternetProtocol(VoIP),andwebservers,intheDMZ.  TheseserversandresourcesareisolatedandgivenlimitedaccesstotheLANtoensuretheycanbeaccessedviatheinternetbuttheinternalLANcannot.Asaresult,aDMZapproachmakesitmoredifficultforahackertogaindirectaccesstoanorganization’sdataandinternalserversviatheinternet. HowDoesaDMZNetworkWork? Businesseswithapublicwebsitethatcustomersusemustmaketheirwebserveraccessiblefromtheinternet.Doingsomeansputtingtheirentireinternalnetworkathighrisk.Topreventthis,anorganizationcouldpayahostingfirmtohostthewebsiteortheirpublicserversonafirewall,butthiswouldaffectperformance.Soinstead,thepublicserversarehostedonanetworkthatisseparateandisolated. ADMZnetworkprovidesabufferbetweentheinternetandanorganization’sprivatenetwork.TheDMZisisolatedbyasecuritygateway,suchasafirewall,thatfilterstrafficbetweentheDMZandaLAN.ThedefaultDMZserverisprotectedbyanothersecuritygatewaythatfilterstrafficcominginfromexternalnetworks. Itisideallylocatedbetweentwofirewalls,andtheDMZfirewallsetupensuresincomingnetworkpacketsareobservedbyafirewall—orothersecuritytools—beforetheymakeitthroughtotheservershostedintheDMZ.Thismeansthatevenifasophisticatedattackerisabletogetpastthefirstfirewall,theymustalsoaccessthehardenedservicesintheDMZbeforetheycandodamagetoabusiness. IfanattackerisabletopenetratetheexternalfirewallandcompromiseasystemintheDMZ,theythenalsohavetogetpastaninternalfirewallbeforegainingaccesstosensitivecorporatedata.AhighlyskilledbadactormaywellbeabletobreachasecureDMZ,buttheresourceswithinitshouldsoundalarmsthatprovideplentyofwarningthatabreachisinprogress. Organizationsthatneedtocomplywithregulations,suchastheHealthInsurancePortabilityandAccountabilityAct(HIPAA),willsometimesinstallaproxyserverintheDMZ.Thisenablesthemtosimplifythemonitoringandrecordingofuseractivity,centralizewebcontentfiltering,andensureemployeesusethesystemtogainaccesstotheinternet. BenefitsofUsingaDMZ ThemainbenefitofaDMZistoprovideaninternalnetworkwithanadvancedsecuritylayerbyrestrictingaccesstosensitivedataandservers.ADMZenableswebsitevisitorstoobtaincertainserviceswhileprovidingabufferbetweenthemandtheorganization’sprivatenetwork.Asaresult,theDMZalsooffersadditionalsecuritybenefits,suchas: Enablingaccesscontrol: Businessescanprovideuserswithaccesstoservicesoutsidetheperimetersoftheirnetworkthroughthepublicinternet.TheDMZenablesaccesstotheseserviceswhileimplementingnetworksegmentationtomakeitmoredifficultforanunauthorizedusertoreachtheprivatenetwork.ADMZmayalsoincludeaproxyserver,whichcentralizesinternaltrafficflowandsimplifiesthemonitoringandrecordingofthattraffic. Preventingnetworkreconnaissance: Byprovidingabufferbetweentheinternetandaprivatenetwork,aDMZpreventsattackersfromperformingthereconnaissanceworktheycarryoutthesearchforpotentialtargets.ServerswithintheDMZareexposedpubliclybutareofferedanotherlayerofsecuritybyafirewallthatpreventsanattackerfromseeinginsidetheinternalnetwork.EvenifaDMZsystemgetscompromised,theinternalfirewallseparatestheprivatenetworkfromtheDMZtokeepitsecureandmakeexternalreconnaissancedifficult. BlockingInternetProtocol(IP)spoofing: AttackersattempttofindwaystogainaccesstosystemsbyspoofinganIPaddressandimpersonatinganapproveddevicesignedintoanetwork.ADMZcandiscoverandstallsuchspoofingattemptsasanotherserviceverifiesthelegitimacyoftheIPaddress.TheDMZalsoprovidesnetworksegmentationtocreateaspacefortraffictobeorganizedandpublicservicestobeaccessedawayfromtheinternalprivatenetwork. ServicesofaDMZinclude: DNSservers FTPservers Mailservers Proxyservers Webservers DMZDesignandArchitecture ADMZisa“wide-opennetwork,"butthereareseveraldesignandarchitectureapproachesthatprotectit.ADMZcanbedesignedinseveralways,fromasingle-firewallapproachtohavingdualandmultiplefirewalls.ThemajorityofmodernDMZarchitecturesusedualfirewallsthatcanbeexpandedtodevelopmorecomplexsystems. Singlefirewall: ADMZwithasingle-firewalldesignrequiresthreeormorenetworkinterfaces.Thefirstistheexternalnetwork,whichconnectsthepublicinternetconnectiontothefirewall.Thesecondformstheinternalnetwork,whilethethirdisconnectedtotheDMZ.VariousrulesmonitorandcontroltrafficthatisallowedtoaccesstheDMZandlimitconnectivitytotheinternalnetwork. Dualfirewall: DeployingtwofirewallswithaDMZbetweenthemisgenerallyamoresecureoption.ThefirstfirewallonlyallowsexternaltraffictotheDMZ,andthesecondonlyallowstrafficthatgoesfromtheDMZintotheinternalnetwork.Anattackerwouldhavetocompromisebothfirewallstogainaccesstoanorganization’sLAN. Organizationscanalsofine-tunesecuritycontrolsforvariousnetworksegments.Thismeansthatanintrusiondetectionsystem(IDS)orintrusionpreventionsystem(IPS)withinaDMZcouldbeconfiguredtoblockanytrafficotherthanHypertextTransferProtocolSecure(HTTPS)requeststotheTransmissionControlProtocol(TCP)port443. TheImportanceofDMZNetworks:HowAreTheyUsed? DMZnetworkshavebeencentraltosecuringglobalenterprisenetworkssincetheintroductionoffirewalls.Theyprotectorganizations’sensitivedata,systems,andresourcesbykeepinginternalnetworksseparatefromsystemsthatcouldbetargetedbyattackers.DMZsalsoenableorganizationstocontrolandreduceaccesslevelstosensitivesystems. Enterprisesareincreasinglyusingcontainersandvirtualmachines(VMs)toisolatetheirnetworksorparticularapplicationsfromtherestoftheirsystems.Thegrowthofthecloudmeansmanybusinessesnolongerneedinternalwebservers.TheyhavealsomigratedmuchoftheirexternalinfrastructuretothecloudbyusingSoftware-as-a-Service(SaaS)applications.  Forexample,acloudservicelikeMicrosoftAzureallowsanorganizationthatrunsapplicationson-premisesandonvirtualprivatenetworks(VPNs)touseahybridapproachwiththeDMZsittingbetweenboth.Thismethodcanalsobeusedwhenoutgoingtrafficneedsauditingortocontroltrafficbetweenanon-premisesdatacenterandvirtualnetworks. Further,DMZsareprovingusefulincounteringthesecurityrisksposedbynewtechnologysuchasInternet-of-Things(IoT)devicesandoperationaltechnology(OT)systems,whichmakeproductionandmanufacturingsmarterbutcreateavastthreatsurface.ThatisbecauseOTequipmenthasnotbeendesignedtocopewithorrecoverfromcyberattacksthewaythatIoTdigitaldeviceshavebeen,whichpresentsasubstantialrisktoorganizations’criticaldataandresources.ADMZprovidesnetworksegmentationtolowertheriskofanattackthatcancausedamagetoindustrialinfrastructure. HowFortinetCanHelp TheFortinetFortiGatenext-generationfirewall(NGFW)containsaDMZnetworkthatcanprotectusers’serversandnetworks.ItcreatesaholeinthenetworkprotectionforuserstoaccessawebserverprotectedbytheDMZandonlygrantsaccessthathasbeenexplicitlyenabled.CheckouttheFortinetcookbookformoreinformationon howtoprotectawebserverwithaDMZ FAQs IsaDMZsafe? TheDMZnetworkitselfisnotsafe.Itenableshostsandsystemsstoredwithinittobeaccessiblefromuntrustedexternalnetworks,suchastheinternet,whilekeepingotherhostsandsystemsonprivatenetworksisolated. WhatisthebenefitofDMZ? ADMZprovidesanextralayerofsecuritytoaninternalnetwork.Itrestrictsaccesstosensitivedata,resources,andserversbyplacingabufferbetweenexternalusersandaprivatenetwork.Otherbenefitsincludeaccesscontrol,preventingattackersfromcarryingoutreconnaissanceofpotentialtargets,andprotectingorganizationsfrombeingattackedthroughIPspoofing. ShouldyouuseaDMZonyourrouter? ADMZcanbeusedonarouterinahomenetwork.TheDMZrouterbecomesaLAN,withcomputersandotherdevicesconnectingtoit.SomehomeroutersalsohaveaDMZhostfeaturethatallocatesadevicetooperateoutsidethefirewallandactastheDMZ.Allotherdevicessitinsidethefirewallwithinthehomenetwork.AgamingconsoleisoftenagoodoptiontouseasaDMZhost.Itensuresthefirewalldoesnotaffectgamingperformance,anditislikelytocontainlesssensitivedatathanalaptoporPC. QuickLinks FreeProductDemo Explorekeyfeaturesandcapabilities,andexperienceuserinterfaces. ResourceCenter Downloadfromawiderangeofeducationalmaterialanddocuments. FreeTrials Testourproductsandsolutions. ContactSales Haveaquestion?We'reheretohelp. AlsoofInterestTCPIPFileTransferProtocol(FTP)MeaningandDefinitionWhatDoesaFirewallDo? ×