Organizations tend to have restricted local area networks (LAN) to ensure security across all connected devices. This can cause issues when connecting to other locations, particularly via the Internet. That's where various network features and protocols can provide access to clients without sacrificing security. A DMZ network is one such option. I'll explain what DMZ means and why you may want to use it on your organization network.

What is a DMZ?

A demilitarized zone (DMZ) in the networking world doesn't relate to warfare. A DMZ is a perimeter network that adds security to a LAN against unwanted traffic. A DMZ configured on a LAN aims to allow clients access to external locations, such as the Internet, without compromising overall security. This can be especially useful for email, file transfers, web servers, and other externally focused solutions where their primary focus is untrusted traffic.

Any server or device within the DMZ is provided limited access to the LAN, acting as a firewall to keep unwanted traffic from accessing the internal network without hampering access to the service. A DMZ is usually viewed as a more secure solution, making it difficult for malicious parties to force their way onto the LAN. The DMZ will filter traffic between the LAN and the Internet, only allowing authorized access. Think of it as a network within a network or one that's separate from and runs adjacent to the LAN.

User-facing services such as websites, email, and DNS servers are exposed to the outside world and are open by design. This doesn't match the security protocols of a private network. By filtering traffic between WAN and LAN, a DMZ can act as a router to split external and internal interfaces, keeping them separate. Clients on the LAN can connect to the Internet and authorized external access can be permitted to the LAN. The DMZ is separate from the LAN and can handle external traffic.

Should you use DMZ at home?

There's a good chance you don't need a DMZ at home. Even running devices such as a NAS with external access likely don't warrant the deployment of a DMZ. If you have a few devices that face external traffic, port forwarding can be configured through the router. A VPN could also be set up for each device. A DMZ only makes sense if you have multiple devices and services with persistent external connections.

If you are to configure a DMZ on your network, I recommend using two firewalls. The first allows traffic between the DMZ and the Internet. A second firewall is then present to forward traffic from the DMZ to the internal network. This would involve multiple devices and bump the price over configuring simple DMZ through a consumer-grade router supplied by a service provider. But price shouldn't be a concern if you're serious about security.