Firewall systems allow for the definition of access rules between two networks. However, in practice, companies generally have several subnetworks with different security policies. This is why it is necessary to set up firewall architectures that isolate a company's different networks. This is called "network isolation".
While some machines of the internal network need to be externally accessible (web servers, e-mail servers, FTP servers), sometimes it is necessary to create a new interface to a separate network that is accessible both from the internal network and externally without the risk of compromising company security. The term "demilitarised zone" or DMZ refers to this isolated zone that hosts the applications made available to the public. The DMZ acts as a "buffer zone" between the network that needs protecting and the hostile network.
The servers in the DMZ are called "bastion hosts" because they act as an outpost in the company's network.
The security policy for the DMZ is generally the following:
Thus, the DMZ possesses an intermediate security level that is not high enough for storing critical company data.
It should be noted that DMZs can be set up internally in order to isolate the internal network with varying levels of protection and avoid internal intrusions.