DMZ – CompTIA Security+ SY0-401: 1.3


A common network design is to include a virtual DMZ (demilitarized zone) to separate the Internet from the inside of the network. In this video, you’ll learn how a DMZ is used as a layer of protection and which devices you would commonly find in a DMZ.

<< Previous Video: Log AnalysisNext: Subnetting the Network >>


Connecting someone to the internet is something you really have to think about before you go through the process. You don’t want to connect someone directly to the internet. There’s way too many bad things going on on the other side of your firewall to consider plugging directly in. Unfortunately, a lot of people who have cable modems or DSL connections do sometimes connect directly to those links without any type of router or security device in the middle.

In this diagram, I’ve put down what most people are doing for security when they want to have internet connectivity, and they take advantage of something called a DMZ. It’s a military term. It stands for demilitarized zone, and it stands for that section between the two opposing forces. Usually, it’s an area that has been set aside that everyone agrees that nobody’s going there to create any trouble.

And in our particular case, we create this DMZ with a connection off of a firewall. In the DMZ is where you would put things that people need to access from the internet. These might be web servers. They might be email servers. They might be other types of services you’re providing to people who are out on the internet side.

And obviously, since your internal network is also connecting through this firewall, generally, people on the inside do have limited access to the DMZ, although sometimes they have no access to the DMZ. It’s completely up to you and your security policies.

The idea is that if there is going to be a problem with people accessing resources directly from the internet into your environment, the worst thing they’d ever be able to mess up inside of your network are things in this DMZ. It also means that we can keep some very tight policies on our firewall that allow just the right amount of access into the DMZ and no more. We’re not going to give anybody more access to a mail server, or more access to a web server, than that particular service.

And because we have a completely separate network on the inside, the firewall can have very, very tight restrictions on what people can do from the internet to the internal. In many cases, you may not initiate a session from the internet to any device that is on the internal network.

So that DMZ is a good middle ground. It’s not the tightest and most secure network. It’s not completely open to the internet. It’s just open enough to provide those services that are important for your internet users.