The demilitarized zone (DMZ), also known as the perimeter network, is a physical or logical subnetwork that creates separation between an internal network and an external untrusted network (usually the Internet). The DMZ provides an additional layer of security to the internal network.

External services such as mail servers, DNS servers, FTP servers, and web servers are exposed within the DMZ. These types of servers are commonly targeted by attackers to gain access to the internal network if they reside within the internal network. By relocating them to the DMZ, the attacker will still not have breached the internal network even if they are able to compromise one of these servers.

This rationale may seem a bit confusing but many of these servers and services are not critical to business continuity. All of these servers will have redundancy and readily available backups. If these servers were within the internal network, an attacker essentially has free reign to any trade secrets, financial data, employee data, databases, etc. With these servers in the DMZ the assets essential to business continuity are protected within the internal network.

Any service that is provided to users in an external network should be located within the DMZ. A mail server in the DMZ should forward incoming mail from the external network to an internal mail server and the internal mail server will pass outgoing mail to the DMZ mail server. This creates separation of duties amongst the mail servers while providing an additional layer of security to the network.

There are two common ways to implement a DMZ architecture: single firewall and dual firewall.

A single firewall implementation, also known as the three-legged model, will separate a network into three segments: the external network, the DMZ, and the internal network. A potential drawback to this architecture is that the firewall becomes a single point of failure and must handle all network traffic which could cause network throughput to decrease.

A duel firewall architecture uses two firewalls to create the DMZ. The front-end firewall, the firewall located closest to the external network router, allows traffic destined to and from the DMZ as well as the internal network. The back-end firewall, the firewall located closest to the internal network, allows traffic destined to and from the DMZ. If data from the external network is destined for the internal network, it must pass through the external network router, the front-end firewall, the DMZ, and the back-end firewall before reaching the internal network. This architecture is most costly than the three-legged model but adds additional security. It is advised that the two firewalls be from different vendors so that if a vulnerability is discovered in one of the firewalls, it will increase the difficulty in exploiting the second firewall.

It is a poor security practice to allow internal network hosts or servers to directly access the external network. Oftentimes an internal host will require Internet access (the external network) as a business function (research, PR, etc.). To accommodate this, internal network hosts must use a proxy server that resides in the DMZ.