A DMZ (or De-Militarized Zone harkening back to the Korean War) is a physical security design for connecting a trusted network to an untrusted network. In a DMZ the physical work is done by routers utilizing security rules. The idea is that anyone trying to penetrate a trusted network would need to first circumnavigate the DMZ hardware to enter the private trusted network. At the same time, the trusted network needed to be able to access network resources stored in the DMZ subnet. The DMZ became one of the first network architectures to guard a private network.
At its most basic there are two network architectures. Single firewall (sometimes called single rail) and Dual Firewall (sometimes called double rail). For both architectures there are a minimum of three subnets. These subnets include the untrusted subnet, the trusted subnet and the DMZ subnet. The trusted network will hold all the core business resources for the organization. The DMZ subnet holds all the network resources that need to communicate with resources on the untrusted network. The untrusted network accesses the DMZ resources but is unable to access the corporate resources.
A simple example would be a public facing website. In this case the Internet would be the untrusted network because anonymous users from the internet would be accessing company web servers. At the same time the corporate network (the trusted network) would need access the DMZ to manage the web servers. The problem is that if the webs server were compromised, the corporate website could be used to compromise the core systems in the company.
To avoid this DMZ is setup. The DMZ is a separate subnet connected to the router(s). On this subnet is where the web servers, accessed by the public, are located. The router blocks access to any packets originating outside the corporate subnet while allowing access to the DMZ servers. This protects the corporate network from any inbound access from the internet or from the DMZ.
In its simplest design there are two types of DMZ rules. Inbound rules that focus on the communication from the untrusted network to the DMZ subnet. Outbound rules are rules from the trusted network to the DMZ. Inbound rules describe the way in which non-trusted network communication are allowed to occur between the untrusted network and the DMZ resources. Outbound rules describe how the trusted network communicates with the DMZ servers.
The requirement then becomes that the DMZ servers are never able to communicate directly with the trusted network, so if a server in the DMZ is compromised; the trusted network is still safe. At the same time a system on the trusted network can access the servers in the DMZ and make changes to these systems.
Again this is a DMZ in its simplest form. Additional outbound rules can be added to the routers that will allow the trusted network access to the untrusted network. If the untrusted network is the Internet, this is a way to provide internet access to users from the trusted network. It begins to get complicated when only a few users on the trusted network are trusted in the DMZ. While at the same time another group of users are trusted with access to the internet, but may be untrusted on the DMZ.
The next complication comes when allowing trusted users on the untrusted network to access the trusted network or manage the DMZ systems. For example a trusted user on an untrusted network may be a user telecommuting from home. As trust relationships become more complicated writing rules for every situation can bog down the system. As old users leave the company and new users take their place, maintaining all these rules becomes problematic. This is where new technologies, procedures and protocols can simplify system management. The process can be reliably automated using systems like public key infrastructure (PKI) processes. These systems authenticate trusted and untrusted packets from both the trusted and untrusted networks.
In the end though, the basic physical infrastructure of the DMZ remains the same. New technologies, protocols and systems are added to the basic DMZ infrastructure. The basic DMZ infrastructure is part of an even larger modern network architecture and strategy called Edge Systems. Edge systems manage the complexity of tunneling, authenticating and protecting data packets crossing DMZ boundaries.