A Demilitarized Zone or DMZ is a network segment that is separated from other networks. Many organizations will use a DMZ to separate their Local Area Networks (LANs) from the Internet to put additional security between their corporate network and the public Internet.
Common items to be placed in a DMZ are public facing servers. For example, if an organization maintains their website on a server, that web server could be placed in the DMZ. This way if the machine would ever be compromised, the remainder of the company's network is not in danger.
When connecting a LAN to the Internet, a router will provide the physical connection to the public Internet, and a firewall will provide a gateway to prevent malicious data from entering the network. One port on the firewall will connect to the corporate network using an internal address on that network, allowing traffic being sent out by individuals within the company to reach the Internet. Another port will be configured with a public address which will allow Internet traffic to reach the organization. These two ports will allow inbound and outbound data to reach an organization on the Internet.
In creating a DMZ, an organization adds another network segment or subnet that is still part of the organization, but not connected directly to the corporate network. Adding a DMZ will make use of a third interface port on the firewall. This configuration allows the firewall to exchange data with both the corporate network and the DMZ network using Network Address Translation.
Network Address Translation (NAT) allows data received on a specific port or interface to be routed to a specified network. For example, when someone visits an organization's web site at www.somecompany.com, the browser is sent to the server where the site lives. If this organization keeps its web server in a DMZ, the firewall will know that all traffic sent to the IP address associated with their web site should be passed to the server sitting in the DMZ network rather than directly into the organization's internal network.
Using a DMZ for servers that can be accessed from the Internet, web servers, web email, and other systems can help keep an organization's network safe from intruders and malicious data.