Talk:DMZ (computing)

Update
I have updated the article and removed the stub. If you have any comments, please let me know. Jasonlfunk 15:45, 11 October 2007 (UTC).

Illustrations
The picture does not show a proper DMZ. It should look like (in ascii art): | [internet][Firewall/router]- | --[Firewall]-[Internal network] |                                   [DMZ]

What is shown here is a three-legged firewall concept.

Greg Rojas

I am confused as to the way a DMZ is laid out. The pictures are showing two different methods, which I understand are differences in topography. But, how is the ascii art dipiction laid out with the actual machines, is there a router between the firewalls? There should maybe be an illustration in the article or more detailed discriptions. 12:08 CDT, 02 June 2006

Software used to make them?
Unrelated query, but, anyone know what software was used to make the illustrations in this article? I doubt it was Visio. Thanks! —S3BST3R (talk) 22:49, 28 June 2011 (UTC)


 * The SVG files contain the following comment: "Created with Inkscape (http://www.inkscape.org/)". 149.32.224.39 (talk) 18:44, 20 October 2023 (UTC)

The boundary between
The term DMZ has been used to describe the boundary between autonomous networks, likely predating the adoption of the term by firewall vendors.

Cjcoleman 20060121

it was used for computation purposes too. —Preceding unsigned comment added by 59.177.41.244 (talk) 09:50, 24 December 2010 (UTC)

Whether DMZ can be one of the NIC of the firewall
Is it possible to configure one of the network card IP of the firewall(With 3 Network Card) as DMZ. One NIC to Internal network One NIC to external network

Response to above
I believe that many people do this: configure the one Firewall to be the connection between DMZ and LAN and External. However, if the Firewall is breached from the outside then there is the potential to get to the LAN as easily as they get to the DMZ. It is a more secure solution to use 2 Firewalls.

82.211.102.231 10:09, 1 December 2006 (UTC)Helen

Article title wrong?
Everyone understands that the term "DMZ" in computing is short for "demilitarized zone", but no one in computing ever actually says "demilitarized zone" (except in answer to the question "what does DMZ stand for?"). And the article reflects this; the full term is never used again after the first sentence.

So I think the article should be renamed to "DMZ (computing)", and the first paragraph updated accordingly. Or maybe even renamed to just "DMZ", with a disambiguation link to "Demilitarized zone" (since, eg, googling for "DMZ" turns up this article first and the military article second). —Preceding unsigned comment added by 24.99.22.247 (talk) 18:13, 30 May 2008 (UTC)


 * Done --h2g2bob (talk) 21:13, 28 October 2008 (UTC)

Article title wrong!
Better to call this a 'Data Management Zone'. —Preceding unsigned comment added by 194.110.215.6 (talk) 12:40, 10 March 2009 (UTC)

I'd like some source info on this. As a 13 year IT veteran and many other people I communicate with just as much if not more IT experience have NEVER heard of 'Data Management Zone' and would prefer this is removed. A DMZ in terms of computing does root from Demilitarized Zone and is best described as that or a Perimeter Network. My re-wording of that in the first sentence could be helped by someone more elegant in their writing skills. thanks. Turnpike420 (talk) 18:42, 14 December 2009 (UTC)

Dual Firewalls and security through obscurity
The Dual Firewalls section mentions that using two firewalls is either "defense in depth" or "security through obscurity" as if they are opposite viewpoints. However, using two firewalls is not considered pejorative in this case (the security through obscurity wikipedia entry specifically states it is a pejorative term). It's goal is not to simply hide the internal network by obscure means (the goal of a single or dual firewall with DMZ is to "obscure" the LAN from access by design), but would provide real extra protection in the case of a security hole being found in the first firewall that didn't exist in the one from a second vendor. Thus, it is defense in depth (if the first measure fails the second may stand), but does not rise to the level of security through obscurity because even if you told the world the brand of both firewalls in use (and even the configuration, assuming both are properly configured), a vulnerability in the first wouldn't necessarily allow access through the second. Davidszp (talk) 17:42, 5 April 2011 (UTC)

There is no documented case of the compromise of a correctly-configured firewall. The dual-skinned architecture began to be popular as a result of the discovery that a certain firewall vendor incorporated a backdoor into their platform, so any discussion of two brands of firewalls is based on a misconception. Gregmal (talk) 9:13, 6 May 2013 (UTC)

Industry advice is that there is no merit to having firewalls from two vendors and in fact the support overhead increases the risk of mis-configuration. See Gartner 'Debunking the Myth of the Single-Vendor Network' G00208758 from 17 November 2010. — Preceding unsigned comment added by 137.191.247.20 (talk) 15:17, 4 August 2015 (UTC)

Accidental misconfiguration is more likely to occur in one or more ways across the configuration interfaces of two different vendors, which now require competency for two (potentially very) different configurations. — Preceding unsigned comment added by 72.200.196.17 (talk) 22:08, 31 August 2015 (UTC)

Gartner G00208758 study actually finds that two vendors is beneficial: "Our findings show that most organizations should consider a dual-vendor or multivendor solution as a viable approach to building their network, as significant cost savings are achievable with no increase in network complexity, while improving the focus on meeting business requirements." Telempe (talk) 09:33, 4 July 2017 (UTC)

Propose merge
There is so much overlap between this article and its synonym, Screened subnet, that I think we should consider merging these two articles. Let's discuss. Stephen Charles Thompson (talk) 08:09, 17 October 2018 (UTC)

Which article should we keep?
I am not sure which article title would best encapsulate the merged content. Wikipedia manual of style probably suggests using the most authoritative or popular term. Let's add our findings in the sub-sections below. Stephen Charles Thompson (talk) 08:40, 17 October 2018 (UTC)

Screened subnet references: Screened subnet may be the original term.
 * NIST, 1994, SP 800-10: "two routers are used to create an inner, screened subnet. This subnet (sometimes referred to in other literature as the "DMZ")..."
 * O'Reilly & Associates, 1995: "The screened subnet architecture adds an extra layer of security to the screened host architecture by adding a perimeter network that further isolates the internal network from the Internet." Stephen Charles Thompson (talk) 08:40, 17 October 2018 (UTC)


 * I doubt there's a significant difference in age, as a Google Books search for DMZ firewall for 20th century also gives several books from the mid-1990s using the term, often without a sense of novelty. --Joy &#91;shallot&#93; (talk) 20:03, 17 October 2018 (UTC)


 * The 1994 ref uses both. 😊 All the best: Rich Farmbrough, 20:20, 17 October 2018 (UTC).

This SANS Institute GIAC paper in 2000 acknowledges the confusion in terms:
 * "There are a number of terms that are used, such as bastion hosts, screened subnets, DMZ, or perimeter networks that can be confusing, especially when used together." ... "Another term that may often causes confusion is the DMZ (demilitarized zone), as opposed to a screened subnet. A true DMZ is a network that contains hosts accessible from the internet with only the exterior, or border, router between them. These hosts are not protected by a screening router." ... "A screened subnet may also be a collection of hosts on a subnet, but these are located behind a screening router. The term DMZ may be used by a vendor to mean either, so it is best to verify which they mean." Stephen Charles Thompson (talk) 08:55, 17 October 2018 (UTC)

DMZ (computing) references:
 * Who coined the term "DMZ" and when? Stephen Charles Thompson (talk) 08:40, 17 October 2018 (UTC)


 * T|he earliest refs I can find on Googlebooks are 1994 (earlier matches ones were due to mis-dated items). It's not clear where the term comes from. All the best: Rich Farmbrough, 14:27, 18 October 2018 (UTC).


 * The term DMZ is by far more common than screened subnet. This is immediately apparent by Google search: network DMZ yields 10.4 million hits versus screened subnet which yields only 64 thousand hits.

Conclusion: I think that what has happened is that the first generation of firewalls were little more than screened routers, routers with packet filter capability (OSI Layer 3), such as ipchains. Firewalls became more advanced including features like stateful inspection operating at OSI Layer 4 and OSI Layer 5. The next generation of firewalls including application firewalls now operate at even higher layers in the OSI model. The term "screened" lost some relevance as layer 3 firewalls became obsolete. The apparent synonym, DMZ, did not become obsolete because the term was not linked to a specific functionality but rather to a desired effect. What do you think? Stephen Charles Thompson (talk)

Call for vote

 * I vote in favor of merging the contents of screened subnet to the article DMZ (computing) for the reasons listed above. Stephen Charles Thompson (talk) 21:54, 18 October 2018 (UTC)


 * Oppose. A DMZ is always located outside of the internal network and is a "middleground" where data can pass between the internal network and another one (most often the Internet). As the screened subnet article states..it can be entirely inside a network (ie: a sensitive R&D area or Human Resources Department, etc). They are similar concepts but they're not necessarily the same thing. Markvs88 (talk) 22:00, 18 October 2018 (UTC)
 * I'm not seeing that wording or getting that interpretation from the screened subnet article. What you are describing sounds more like Multitier architecture. If you have a good references for this, I think we should update the screened subnet article to reflect this. Stephen Charles Thompson (talk) 22:48, 18 October 2018 (UTC)


 * Oppose for now: some people define a screened subnet as 'triple-homed firewall'. This is a particular implementation of DMZ, and indeed be used for different purposes.  All the best: Rich Farmbrough, 10:26, 22 October 2018 (UTC).