Home Page


Firewall Topics

Application Control

Application Layer Filtering

Firewall Authentication

High Availability, Failover, RAID, Clustering, & Redundancy

IPS & IDS Systems

Load Balancing & Link Balancing


Network Firewall Buyers Guide

Next-Gen vs UTM

Packet Filtering

Parental Control

Perimeter Network or DMZ

Personal or Hardware Firewall?

Ports Protocols and IP Addresses


Stateful Packet Filtering



What is a Firewall?

Which Network Firewall?

Zero Day Protection



Perimeter or DMZ Firewall Tutorial Guide



Perimeter Network or DMZ (Demilitarized Zone)

The DMZ network also sometimes called Perimeter Network is a separate network used for placing web servers, e-mail servers, FTP servers and other public servers to gain access from or to the internet.

Having a separate network segregated from the internal network means you can still have the full protection on your internal network by placing public facing servers into the DMZ that require access from the outside world. You would then configure your firewall rules to allow access to these servers from the internet. When we say full protection to your internal network what we mean is that you don't have to open ports to your internal network from the outside world because you can use the DMZ for this.

In a real world scenario you would use a network hardware firewall in order to separate your DMZ and internal network. A DMZ is just another layer 3 port on a firewall. You can re-label this port to a name of your choice, such as "DMZ" or "Public Servers" for example, and give it it's own network address. So you would have one port used for your DMZ network, another for your internal network and another port that would connect to the outside world.

DMZ Network On A Firewall

When perimeter network \ DMZ capabilities is not available on a firewall, this would usually force servers to be placed on the internal network, and rules would have to be configured to allow access to these servers. This type of setup can be very dangerous because a company would have ports and IP addresses open on their internal network accessible via anyone from the outside world. Hackers can attempt to access network resources via these public servers.

However firewalls built for networks always have extra interface ports and the functionality in which a perimeter network / DMZ can be configured. Having this functionality, a company can place all their servers accessed from the internet on the Perimeter/DMZ network, configure access just to these IP addresses, and the required ports, though not requiring to exposing anything on the local network.

It is the home based routers and small SOHO company firewalls which usually do not have this feature of perimeter/DMZ capabilities. However this is understandable as home users or small companies do need the functionality of a perimeter network. Instead they usually host such services with a service provider.

VLANS can also be used to imitate a DMZ network if this is supported on a firewall. You can create separate VLANS, one for your internal network and another for your DMZ network for example. Then you can give access to the DMZ VLAN only from the external interface. VLANS are logical interfaces and provide a number of benefits.

For further reading, there's some excellent electronic ebooks available for download from eBooks.com