What is DMZ in security?

DMZ: 非军事化区

摘抄自：Firewall with DMZ (lancom-systems.de)

The demilitarized zone (DMZ) represents a special area of the local area network, which is shielded by a firewall both from the Internet and from the LAN itself. Computers or servers that should be accessible from the unsecured network (Internet) should be placed into this network. These include, for example, your own FTP and Web servers.

First and foremost, the firewall protects the DMZ against attacks from the Internet. Additionally, the firewall also protects the LAN against the DMZ. The firewall is configured so that only the following accesses are possible:

• Stations from the Internet can access the servers in the DMZ, but access to the LAN from the Internet is not possible.
• The stations on the LAN can access the Internet and the servers in the DMZ.
• The servers in the DMZ cannot access the stations in the LAN. This ensures that even a "cracked" server in the DMZ does not pose a security risk for the LAN.

 

The direct data exchange between LAN and DMZ is not possible via the LAN bridge if a dedicated DMZ port is used. The path from the LAN to the DMZ and vice versa is therefore only through the router, and thus through the firewall. This in turn shields the LAN against requests from the DMZ as well as against the Internet.