In networking jargon, a DMZ is usually a part of a private network that has part of its services available to the general internet traffic.

Imagine you want to host your own publicly available web server within your office, where you have a small LAN. You want people to be able to reach your office from the internet, because they need to query your web server and access its pages, but you would not want them to browse your own PC's or file servers. The solution in this case is usually to use a firewall (something like a properly configured linux box with multiple network cards or a hardware solution like a Cisco PIX) that allows for multiple protected zones on each of its nework cards.

In our simple case we would likely have three separate nertwork cards:

  • one going to the general internet;
  • one going to the office LAN; machines "behind" this port are rendered completely invisible from the internet, likely using NAT and port filtering;
  • one going to the DMZ; machines here are partially visible from the internet using appropriate port filtering rules.
This way you can share the same internet connection pipe between your web server and your office, with full security.