What is a DMZ in network architecture, and why would you use one?
Short answer
A DMZ (demilitarized zone) is a network segment that sits between the untrusted internet and the trusted internal network, hosting public-facing services like web, mail, and DNS servers. Firewall rules let the internet reach the DMZ but tightly restrict the DMZ's access to the internal network. The goal is containment: if a public server is compromised, the attacker is stuck in the buffer zone rather than landing inside the LAN.
A DMZ embodies a simple, durable idea: anything the internet can reach will eventually be probed and may be breached, so don't let those exposed systems sit next to your crown jewels. The DMZ is the buffer that absorbs that risk.
What it is
A DMZ (demilitarized zone) is a separate network segment placed between the hostile internet and the trusted internal network. It hosts services that must be reachable from outside: web servers, reverse proxies, mail gateways, public DNS. Firewall policy is the whole point:
- Internet → DMZ: allowed, but only to specific services/ports.
- DMZ → Internal: heavily restricted, ideally to specific hosts/ports (e.g., the web server may reach only an application gateway, never the whole LAN).
- Internal → DMZ: controlled as needed.
Why use one — containment
If an attacker compromises a public web server with no DMZ, they often land directly inside the corporate network and pivot freely. With a DMZ, the compromised box is fenced into the buffer zone; the second set of rules between DMZ and internal stops them from reaching domain controllers, databases, and file servers without crossing another controlled boundary. This is defense in depth and blast-radius reduction in concrete form.
Designs and good practice
A dual-firewall DMZ (one firewall facing the internet, another facing internal, ideally from different vendors) is stronger than a single-firewall three-legged design, because one firewall flaw doesn't collapse both boundaries. A key practice: a DMZ web server should not hold sensitive data directly — it should talk through a tightly scoped path to a backend that lives deeper inside. The DMZ concept also feeds naturally into modern segmentation and zero-trust thinking.
Interviewers want the buffer-zone definition, the asymmetric firewall rules, and the containment/blast-radius rationale.
Likely follow-ups
- What's the difference between a single-firewall and a dual-firewall DMZ design?
- Why should a web server in the DMZ not hold the database directly?
- How does a DMZ relate to network segmentation and zero trust?