What is a DMZ in network security and when is it used?

A DMZ is a segregated network zone that hosts publicly accessible services while protecting internal networks. It sits between the Internet and the trusted internal network to provide a buffer: public servers like a website, mail, or DNS reside in the DMZ so external users can reach them, but the internal LAN stays shielded behind firewalls. This setup limits risk because if a public server in the DMZ is compromised, attackers have a harder path to sensitive internal systems since traffic from the DMZ to the internal network is tightly controlled. It’s typically used when you need to expose services to the Internet while keeping the private network safe, often with two firewalls enforcing strict rules at the Internet–DMZ boundary and at the DMZ–internal boundary. The other descriptions don’t fit a DMZ: a private internal subnet with no external access describes an internal network, a VPN encrypts site-to-site traffic, and a firewall rule to drop traffic is just a security policy, not a DMZ.