What Is a DMZ?
a DMZ — a separate network segment for public-facing servers — exposed enough to serve the internet, isolated enough that a compromise doesn't reach the internal network.
How it works
Web, mail and DNS servers live in the DMZ between two enforcement layers: the internet can reach only published DMZ services, and the DMZ in turn gets little or no access into the trusted LAN. If an internet-facing server is breached, the attacker is contained in the middle zone.
Why it matters
The DMZ is textbook defence-in-depth and a staple design/interview topic: "where would you place the company web server?" — in the DMZ, never on the internal LAN.
Frequently asked questions
Why put servers in a DMZ?
So internet exposure is contained — a hacked public server shouldn't grant a path into internal systems.
What typically lives in a DMZ?
Public web servers, mail gateways, external DNS and reverse proxies — anything the outside world must reach.
Is a DMZ still relevant with cloud?
Yes conceptually — cloud security groups and subnet tiers implement the same isolation pattern under different names.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.