DMZ (Demilitarized Zone)
DMZ in general refers to an area which lies between the borders of two countries. It would be generally agreed upon by both the countries, through treaties, to not claim ownership of that area.
In the software world, DMZ refers to the part of the network between the internet (which is an untrusted network) and the corporate network (which is a trusted network). The servers or resources in the DMZ are not as secure as those in the LAN (Local Area Network), but not as insecure as those in the internet. (Refer above diagram).
The resources in the DMZ are exposed to the internet as they will have to interact with the web. However they also need to interact with the resources in the LAN, so the firewall in between them restricts access. Generally, there will be a firewall between the DMZ and the internet and a different firewall with stricter access rules between the DMZ and the intranet.
What resides in DMZ?
Some examples of servers which reside in the DMZ are provided below:
- Mail Server
- FTP Server
- Web Server
Why do we need a DMZ?
Having a DMZ ensures that we do not expose all our resources to the internet. If we did not use a DMZ, then it would be difficult to secure all these resources, and the entire corporate network would be at risk.
So we expose only a small part of the resources to the web by placing them in the DMZ. This reduces the overall surface area of attack. The resources in the DMZ act as first line of defense against attacks from the internet. The resources in the DMZ could be closely monitored and the firewall between the DMZ resources and the LAN provides adequate security. Also, the resources in DMZ cannot initiate requests, they can only forward requests.
DMZ in Application Architecture:
From an application architecture point of view, in internet facing applications, the load balancers are generally placed in the DMZ, since they receive requests from the web. The load balancers then interact with the servers behind the firewall. The servers like database servers etc. which should be protected, would lie behind the firewall within the corporate network.