DMZ - De-Militarized Zone (Computer Networking)

Working in network room
Lane Oatey / Blue Jean Images/Getty Images

In computer networking, a De-Militarized Zone (DMZ) is a special local network configuration designed to improve security by segregating computers on each side of a firewall. A DMZ can be set up either on home or business networks, although their usefulness in homes is limited.

Where Is a DMZ Useful?

In a home network, computers and other devices normally are configured into a local area network (LAN) connected to the Internet via a broadband router.

The router serves as a firewall, selectively filtering traffic from the outside to help ensure only legitimate messages pass through. A DMZ divides splits such a network into two parts by taking one or more devices inside the firewall and moving them to the outside. This configuration better protects the inside devices from possible attacks by the outside (and vice versa).

A DMZ is useful in homes when the network is running a server. The server could be set up in a DMZ so that Internet users could reach it via its own public IP address, and the rest of the home network was protected from attacks in cases where the server was compromised. Years ago, before cloud services became widely available and popular, people more commonly ran Web, VoIP or file servers from their homes and DMZs made more sense.

Business computer networks, on the other hand, can more commonly use DMZs to help manage their corporate Web and other public facing servers.

Home networks nowadays more commonly benefit from a variation of DMZ called DMZ hosting (see below).

DMZ Host Support in Broadband Routers

Information about network DMZs can be confusing to understand at first because the term refers to two kinds of configurations. The standard DMZ host feature of home routers does not set up a full DMZ subnetwork but instead identifies one device on the existing local network to function outside the firewall while the rest of the network functions as normal.

To configure DMZ host support on a home network, log into the router console and enable the DMZ host option that is disabled by default. Enter the private IP address for the local device designated as host. Xbox or PlayStation game consoles are often chosen as DMZ hosts to prevent the home firewall from interfering with online gaming. Ensure the host is using a static IP address (rather than a dynamically assigned one), otherwise a different device may inherit the designated IP address and become the DMZ host instead. 

True DMZ Support

In contrast to DMZ hosting, a true DMZ (sometimes called a commercial DMZ) establishes a new subnetwork outside the firewall where one or more computers run. Those computers on the outside add an extra layer of protection for computers behind the firewall as all incoming requests are intercepted and must first pass through a DMZ computer before reaching the firewall. True DMZs also restrict computers behind the firewall from communicating directly with DMZ devices, requiring messages to come through the public network instead. Multi-level DMZs with several layers of firewall support can be set up to support large corporate networks.