ELI5: What is a Screened subnet (DMZ)?
It’s a waiting room between the outside world and the private offices. Visitors can sit in the waiting room and be served there, but they cannot walk past the front desk into the back where the important stuff is.
Definition
A screened subnet (commonly called a DMZ — Demilitarized Zone) is a network architecture pattern that uses firewalls to create an intermediate network segment between an untrusted external network (internet) and the trusted internal network. Public-facing servers are placed in this buffer zone, which limits exposure of the internal network while still allowing controlled public access.
Key Details
- Classic three-legged firewall design: one firewall with three interfaces (internet, DMZ, internal)
- Dual-firewall design: internet-facing firewall and internal-facing firewall sandwich the DMZ for additional security
- Systems in the DMZ should be hardened and assumed to be potentially compromised
- Traffic from DMZ to internal network should be strictly restricted and filtered
- Common DMZ services: web servers, mail relays, DNS resolvers, reverse proxies, bastion hosts
Connections
- Parent: firewalls — screened subnets are created using firewall configurations
- See also: dmz-demilitarized-zone