In computer security, a demilitarized zone (DMZ), more appropriately known as demarcation zone or perimeter network, is a physical or logical subnetwork that contains an organization's external services to a larger, untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's Local Area Network (LAN).
In a network, the most vulnerable hosts to attack are those that provide services to users outside of the LAN, such as e-mail, web and DNS servers. Due to the increased potential of these hosts being compromised, they are placed into their own subnetwork in order to protect the rest of the network if an intruder was to succeed. Hosts in the DMZ should not be able to establish communication directly with any other host in the internal network, though communication with other hosts in the DMZ and to the external network is allowed. This allows hosts in the DMZ to provide services to both the internal and external network while still protecting the internal network.
Generally, any service that is being provided to users in an external network should be placed in the DMZ. The most common of these services are web servers, mail servers, and DNS servers. In some situations, additional steps need to be taken to be able to provide secure services.