Demilitarized Zone in Computer Networking

Using a Demilitarized Zone on Computer Networks

In computer networking, a demilitarized zone is a special local network configuration designed to improve security by segregating computers on each side of a firewall. A DMZ can be set up either on home or business networks, although their usefulness in homes is limited.

Internet service provider
Lane Oatey / Blue Jean Images/Getty Images

Where Is a DMZ Useful?

In a home network, computers and other devices typically are configured into a local area network connected to the internet using a broadband router. The router serves as a firewall, selectively filtering traffic from the outside to help ensure only legitimate messages pass through. A DMZ divides such a network into two parts by taking one or more devices inside the firewall and moving them to the outside. This configuration better protects the inside devices from possible attacks by the outside (and vice versa).

A DMZ is useful in homes when the network is running a server. The server could be set up in a DMZ so that internet users could reach it through its public IP address, and the rest of the home network was protected from attacks in cases where the server was compromised. Years ago, before cloud services became widely available and popular, people more commonly ran Web, VoIP, or file servers from their homes and DMZs made more sense.

Business computer networks, on the other hand, can more commonly use DMZs to help manage their corporate web and other public-facing servers. Home networks nowadays more commonly benefit from a variation of DMZ called DMZ hosting.

DMZ Host Support in Broadband Routers

Information about network DMZs can be confusing to understand at first because the term refers to two kinds of configurations. The standard DMZ host feature of home routers does not set up a full DMZ sub-network but instead identifies one device on the existing local network to function outside the firewall while the rest of the network functions as normal.

To configure DMZ host support on a home network, log into the router console and enable the DMZ host option that is disabled by default. Enter the private IP address for the local device designated as the host. Xbox or PlayStation game consoles are often chosen as DMZ hosts to prevent the home firewall from interfering with online gaming. Ensure the host uses a static IP address (rather than a dynamically assigned one), otherwise, a different device may inherit the designated IP address and become the DMZ host instead. 

True DMZ Support

In contrast to DMZ hosting, a true DMZ (sometimes called a commercial DMZ) establishes a new sub-network outside the firewall where one or more computers run. Those computers on the outside add an extra layer of protection for computers behind the firewall as all incoming requests are intercepted and must first pass through a DMZ computer before reaching the firewall. True DMZs also restrict computers behind the firewall from communicating directly with DMZ devices, requiring messages to come through the public network instead. Multi-level DMZs with several layers of firewall support can be set up to support large corporate networks.

Was this page helpful?