In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a usually larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is firewalled.
The name is derived from the term "demilitarized zone", an area between nation states in which military operation is not permitted.
In the military sense, a DMZ is not seen as belonging to either party bordering it. This concept applies to the computing use of the metaphor in that a DMZ which is, for example, acting as a gateway to the public Internet, is neither as secure as the internal network, nor as insecure as the public internet.
In this case, the hosts most vulnerable to attack are those that provide services to users outside of the local area network, such as e-mail, Web and Domain Name System (DNS) servers. Because of the increased potential of these hosts suffering an attack, they are placed into this specific subnetwork in order to protect the rest of the network if an intruder were to compromise any of them successfully.
Hosts in the DMZ are permitted to have only limited connectivity to specific hosts in the internal network, as the content of DMZ is not as secure as the internal network. Similarly communication between hosts in the DMZ and to the external network is also restricted, to make the DMZ more secure than the Internet, and suitable for housing these special purpose services. This allows hosts in the DMZ to communicate with both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients, and another firewall would perform some level of control to protect the DMZ from the external network.