What does the DMZ setting on routers do
Description: This technical article will show what a DMZ is, what it can be used for on home routers, and how it is different from a commercial DMZ.
NOTE: A device configured as a DMZ host will be vulnerable to remote attack, so this setting should be used with extreme caution.
The vast majority of wireless routers on the market today offer functionality for what is called a DMZ Host. The term is borrowed from military applications and refers to a Demilitarized Zone. The reason this term is used is because a DMZ host in a network is a point between the external internet and the internal network that is not covered by any of the firewall protections granted to other devices in the internal network. This can be beneficial at times, but for the most part, it is recommended not to configure a DMZ host.
Having a DMZ host configured in a network is only truly necessary if there are certain applications on the device that require unblocked access to the internet. For the most part, this can be achieved using port forwarding or virtual servers, but in some cases, this is not feasible due to the sheer number of ports needed. It is in these situations that a DMZ host can be setup.
Any device that is configured as a DMZ host on a router is excluded from the firewall protections that the router offers. This means that all ports on the device are externally accessible, which is good for the purposes of applications that require this kind of access, but it also allows for the possibility of a remote attack on the device. It is for this reason that the DMZ host should only be configured as a last resort, as a DMZ host also has full access to other internal devices, so if the DMZ host were compromised, the rest of the network could be vulnerable. This is where a DMZ host differs from a commercial DMZ.
In a commercial DMZ, a separate network is configured for the various devices contained therein. This is done to provide added security, because the devices in the DMZ have limited access to other devices in the internal network that can be carefully monitored and controlled. This way, the benefits of having the ports on the devices accessible from the internet are gained without losing the security of having a firewall. Should a device in the DMZ become compromised, the attacker will still have a hard time getting into the internal network.
Generally speaking, it is recommended to disable the DMZ host when not absolutely necessary. This way, the network is only exposed for a particular period of time when the DMZ host is configured instead of being exposed all of the time.
As mentioned previously, using port forwarding or virtual servers should allow for the vast majority of applications to function properly, but for the few that cannot be configured in this way, the DMZ host may be used. Port forwarding and virtual servers are recommended because they allow only particular ports on the device to be exposed to the internet instead of allowing all ports to be exposed, thus providing additional security against intrusion.