What is a DMZ and how does it isolate services?

Short answer

A DMZ is a isolated network segment that hosts public-facing services like web and mail servers. It sits between the internet and the internal LAN, limiting exposure.

How it works

Firewalls create the DMZ with two boundaries. The outer firewall allows traffic from the internet to DMZ servers on specific ports. The inner firewall blocks DMZ hosts from initiating connections to the internal LAN. If a DMZ server is compromised, the attacker remains trapped in the DMZ.

Example

An e-commerce company places its website and payment gateway in the DMZ. Customer databases and internal applications remain on the LAN, unreachable directly from the DMZ or internet.

Why it matters

The DMZ principle limits blast radius. Public services are inherently higher risk because they are exposed. Separating them protects crown-jewel assets even if the public service is breached.