The DMZ (Demilitarized Zone) hosts servers that need external access, like web servers, mail servers, and DNS servers. It sits between inside and outside zones with medium trust.
Typical policies:
- Permit outside-to-DMZ for specific services (HTTP on port , HTTPS on port )
- Permit inside-to-DMZ for management
- Deny DMZ-to-inside (if DMZ server is compromised, it can't attack internal network)
This design protects your internal network even if a DMZ server is breached.