Editing DMZ (computing) (section)

==Rationale==
The DMZ is seen as not belonging to either network bordering it. This metaphor applies to the computing use as the DMZ acts as a gateway to the public Internet. It is neither as secure as the internal network, nor as insecure as the public internet.

In this case, the [[host (network)|host]]s most vulnerable to attack are those that provide services to users outside of the [[local area network]], such as [[e-mail]], [[World Wide Web|Web]] and [[Domain Name System]] (DNS) servers. Because of the increased potential of these hosts suffering an attack, they are placed into this specific subnetwork in order to protect the rest of the network in case any of them become compromised.

Hosts in the DMZ are permitted to have only limited connectivity to specific hosts in the internal network, as the content of DMZ is not as secure as the internal network. Similarly, communication between hosts in the DMZ and to the external network is also restricted to make the DMZ more secure than the Internet and suitable for housing these special-purpose services. This allows hosts in the DMZ to communicate with both the internal and external network, while an intervening [[firewall (computing)|firewall]] controls the traffic between the DMZ servers and the internal network clients, and another firewall would perform some level of control to protect the DMZ from the external network.

A DMZ configuration provides additional security from external attacks, but it typically has no bearing on internal attacks such as sniffing communication via a [[packet analyzer]] or [[Spoofing attack|spoofing]] such as [[e-mail spoofing]].

It is also sometimes good practice to configure a separate classified militarized zone (CMZ),<ref name="Bradley Mitchell">{{cite web | url=https://www.lifewire.com/demilitarized-zone-computer-networking-816407 | title=Demilitarized Zone in Computer Networking | date=27 August 2018 | access-date=10 December 2018 | author= Bradley Mitchell}}</ref> a highly monitored militarized zone comprising mostly Web servers (and similar servers that interface to the external world i.e. the Internet) that are not in the DMZ but contain sensitive information about accessing servers within the LAN (like database servers). In such architecture, the DMZ usually has the [[application firewall]] and the [[FTP]] while the CMZ hosts the Web servers. (The database servers could be in the CMZ, in the LAN, or in a separate VLAN altogether.)

Any service that is being provided to users on the external network can be placed in the DMZ. The most common of these services are:
* [[Web servers]]
* [[Mail servers]]
* [[FTP servers]]
* [[VoIP]] servers

Web servers that communicate with an internal database require access to a [[database server]], which may not be publicly accessible and may contain sensitive information. The web servers can communicate with database servers either directly or through an [[application firewall]] for security reasons.

[[E-mail]] messages and particularly the user database are confidential, so they are typically stored on servers that cannot be accessed from the Internet (at least not in an insecure manner), but can be accessed from email servers that are exposed to the Internet.

The mail server inside the DMZ passes incoming mail to the secured/internal mail servers. It also handles outgoing mail.

For security, compliance with legal standards such as [[HIPAA]], and monitoring reasons, in a business environment, some enterprises install a [[proxy server]] within the DMZ. This has the following benefits:
* Obliges internal users (usually employees) to use the proxy server for Internet access.
* Reduced Internet access bandwidth requirements since some web content may be cached by the proxy server.
* Simplifies recording and monitoring of user activities.
* Centralized web content filtering.

A [[reverse proxy]] server, like a proxy server, is an intermediary but is used the other way around. Instead of providing a service to internal users wanting to access an external network, it provides indirect access for an external network (usually the Internet) to internal resources.
For example, a back office application access, such as an email system, could be provided to external users (to read emails while outside the company) but the remote user would not have direct access to their email server (only the reverse proxy server can physically access the internal email server). This is an extra layer of security particularly recommended when internal resources need to be accessed from the outside, but it's worth noting this design still allows remote (and potentially malicious) users to talk to the internal resources with the help of the proxy. Since the proxy functions as a relay between the non-trusted network and the internal resource: it may also forward malicious traffic (e.g. [[Exploit (computer security)|application level exploits]]) towards the internal network; therefore the proxy's attack detection and filtering capabilities are crucial in preventing external attackers from exploiting vulnerabilities present in the internal resources that are exposed via the proxy. Usually such a reverse proxy mechanism is provided by using an [[application layer firewall]] that focuses on the specific shape and contents of the traffic rather than just controlling access to specific [[TCP and UDP port]]s (as a [[Firewall (computing)#Packet filter|packet filter firewall]] would do), but a reverse proxy is usually not a good substitute for a well thought out DMZ design as it has to rely on continuous signature updates for updated attack vectors.