What is a Perimeter Network or DMZ?

Quick Answer: A perimeter network, also known as a DMZ (Demilitarized Zone), is a segregated subnetwork positioned between an organization’s internal network and untrusted external networks. It is designed to host public-facing services while protecting critical internal systems from external threats.

The architecture of enterprise networks can be confusing, especially as time goes on. One part of these networks that has evolved rather rapidly recently is the DMZ, sometimes known as a perimeter network. It’s the outermost part of a network that isn’t fully on the outside or inside, but serves a vital purpose.

What is a DMZ?

A DMZ, or Demilitarized Zone, is named after the military contested control area of the same name. A DMZ is an in-between space on the outer edge of a network, separated by logical and physical security controls. It’s a space that’s neither here nor there. In a network context, the DMZ sits on the very edge of the network in a logical sense, though it may not be in a physical sense. 

Visualizing the network in the 3-layer methodology as it is taught in Security+, the DMZ sits on the very outside. The function of a DMZ is to provide some network services and access to both the internal and external parts of the network with additional security controls.

DMZs are unique in that they are severely limited in access to either side of the network– they’re considered outside to the inside network and inside to the outside network. This means that they don’t have free-flows of information by design and function as a sort of firebreak at the network edge. They often can only pass specific kinds of traffic into the network, or only access specific services. 

A good example of this would be in a firm where they have people work remotely often. Occasionally, they may have things like an internal hosted SharePoint, or a NAS server that remote users need to access. These are set up in the DMZ so that people remotely can access them but not critical resources, like, for example, the accounting server. 

How is a DMZ Constructed?

A DMZ is typically considered a locally ‘walled garden’ and is built up as such. It must be logically separated from the rest of the network and, in some extreme cases (such as government work), must also be physically separated. 

The usual way to do this is to put the logical path (for more about logical vs physical descriptions, check out: Network+ by CBT Nuggets) between the outer, or “edge” router and the first firewall. This ensures that the DMZ takes a different pathing than the rest of the traffic in and out of the network. In more complex networks, there may even be a firewall on each side.

Computers and devices that are in the DMZ will nearly always have RBAC, or Role-based Access Control, put on them. Once things are tagged as in the DMZ, two things can happen. Traffic that’s requested to go to them has many fewer rules put on them, and traffic inside the network will have many more rules applied. 

This ensures they have the most access to wide resources like cloud-hosted apps that may not be available inside the network due to security posture or even remote access to user-owned resources. This serves to keep these higher-risk activities confined to the computers that need them, but no more. 

Other Devices in the DMZ

In addition to BYOD policy devices, some common network services may also be placed in the DMZ. Unlike the more common transient devices, these are permanent parts of the architecture. Because these permanent services are frequently targeted by external threats and serve as a network firebreak, they receive heightened scrutiny.

DNS, DHCP, and NAS services fall under this header. Think like a firewall here: it’s very easy to write a rule that your DHCP server can only send one type of traffic—the port for DHCP traffic is well-known and established but needs to accept queries. Instead of disallowing transient devices from the DMZ or VPN clients from joining at all, it’s much simpler to set your firewall to say “None of that nonsense now; only DHCP traffic needs to come in from you.” 

Common vectors for attacks usually involve suborning the control of a device or making it behave erratically instead of simply using the device as intended, making a strict traffic control south to your network an excellent idea when practicable.

How is a DMZ Controlled?

The construction of a DMZ is the most important part of the planning. We’ve already discussed firewall rules, but there are more holistic solutions as well. Your DMZ should be all in one place, and everyone should be able to talk to each other often. This means they’re all generally on the same subnet or group of subnets. 

As such, a common consideration is to put all traffic to/from them on the same VLAN. Network services can be restricted to one, and “other” devices restricted to a different one, much like SSIDs in wireless can be similarly limited by role. (For more on managing groups and SSIDs, see Wireless Security) 

A VLAN can be thought of as a sort of color—if you’re on VLAN “blue” and something else is on VLAN “green,” they shouldn’t be allowed to talk to each other, regardless of firewall rules. They’re considered to be separate networks that must be explicitly routed to each other. (VLANS are generally noted by number, however) 

DMZ in Context

A DMZ is only a component of a security solution for an enterprise solution. When planning out your network architecture, one should always consider it as a series of walls. A DMZ is just the outer one that things can be cast into, or bounce off of. This is generally referred to as “defense in depth,” meaning that you should have many layers between your vital functions and the outside, untrusted world. 

Consider all of your traffic flows like roads in a city—you want to have many checkpoints before they can get to the city center. For a hostile actor, defeating one particular function is much easier than defeating two, and orders of magnitude easier than defeating several in sequence—especially since they have to do it all at once.

Final Thoughts

Remember that while each security control is simple on its own, only a layered approach creates a strong security posture. That said, security and usability are trade-offs; this is where a DMZ comes in. 

Use the DMZ to reduce the risk you incur and take some of the burden off of clients who are at a lesser risk or who engender a lesser exposure. 

At the end of the day, the client is king, and if they can’t use your network, then the network isn’t doing the job it’s been designed for! 

Want to learn more about network security? Consider our CompTIA Security+ online training.