The demilitarized zone (DMZ) represents a special area of the local area network, which is shielded by a firewall both from the Internet and from the LAN itself. Computers or servers that should be accessible from the unsecured network (Internet) should be placed into this network. These include, for example, your own FTP and Web servers.
First and foremost, the firewall protects the DMZ against attacks from the Internet. Additionally, the firewall also protects the LAN against the DMZ. The firewall is configured so that only the following accesses are possible:
- Stations from the Internet can access the servers in the DMZ, but access to the LAN from the Internet is not possible.
- The stations on the LAN can access the Internet and the servers in the DMZ.
- The servers in the DMZ cannot access the stations in the LAN. This ensures that even a "cracked" server in the DMZ does not pose a security risk for the LAN.
Some router models support this setup by means of a separate LAN interface used only for the DMZ. Looking at the data path through the device, the function of the firewall for shielding the LAN from the DMZ becomes clear.
The direct data exchange between LAN and DMZ is not possible via the LAN bridge if a dedicated DMZ port is used. The path from the LAN to the DMZ and vice versa is therefore only through the router, and thus through the firewall. This in turn shields the LAN against requests from the DMZ as well as against the Internet.