It has for many years been risky to connect computers to the Internet. In most cases, some kind of firewall is used to protect the computers behind the firewall. A more sophisticated way of protecting computers is to use a Demilitarized Zone (DMZ), sometimes also called perimeter network.
Servers that need to communicate with both internal and external computers create a security problem for companies. Placing such computers in the internal network, behind the firewalls, means that the firewalls need to allow a lot of traffic through. On the other hand, if the computers are placed outside the firewalls, they are very vulnerable for attacks. The solution to this dilemma is generally a DMZ, a zone between the Internet and the company’s internal network.
A DMZ can be designed in a number of ways but typically, a DMZ is placed outside the company’s (internal) firewall but has a firewall (external) between itself and the Internet. This means that the internal firewall, will only let through traffic from hosts in the DMZ, generally also restricted to specific ports from specific hosts. The external firewall will only let through traffic to the servers in DMZ, also that generally limited to specific ports for every server.
This way, the company’s internal network is relatively well secured at the same time as it is possible to reach some of the company’s computers from the Internet. Obviously, a DMZ can be implemented in many other ways but the basic principles are the same. Although not as secure, it is possible to let the same physical firewall be both the external and internal firewall. Nowadays, most companies have much more complex solutions for DMZs. It is quite common to have multiple DMZs.
It is worth remembering that a DMZ’s purpose is to protect the internal company network from the untrusted Internet, or any other untrusted network. Threats from the inside are seldom covered by a DMZ.
It is very common to place servers such as mail, DNS and http (web) servers in the DMZ. For example, incoming mail is delivered to the mail server in DMZ which will forward the emails to the internal mail server. This makes it easy to configure the firewalls for email. Often one additional connection is allowed, so that it is possible to manage the mail server in DMZ from the internal network. By having a DMZ, DNS often becomes relatively small security risk. The DNS server in DMZ does only need to know a few servers in the internal company network, therefore there is not much gained if someone manages to compromise the DNS server. The sensitive DNS data is stored on the DNS servers behind the internal firewall.
Do you need a DMZ for your home network? Probably not unless you have servers at home which must reached from the Internet. If the traffic is just outgoing, a firewall/router with NAT (network address translation) is a relatively secure solution.