In computing, a demilitarized zone, or DMZ, is a physical or logical separate from the local network and isolated from it and from the Internet by a firewall. This subnet contains machines that are accessible from the Internet and do not need to access the local network.

Services that can be accessed from the Internet will be located in DMZ, and all flows from the Internet are redirected by default to the DMZ by the firewall. The firewall will block access to the local network from the DMZ to ensure security. In the event of compromise of one of the services in the DMZ, the hacker will have access only to the machines of the DMZ and not to the local network.

Any service provided to users on the public internet should be placed in the DMZ network. Some of the most common of these services include web servers and proxy servers, as well as servers for email, domain name system (DNS), File Transfer Protocol (FTP) and voice over IP (VoIP).

The figure below shows a DMZ architecture with a three-way firewall. The disadvantage is that if this single firewall is compromised, nothing is controlled. However, it is possible to use two cascading firewalls to eliminate this risk. There are also DMZ architectures where it is located between the Internet and the local network, separated from each of these networks by a firewall.