What is a DMZ (Demilitarized Zone)?
A DMZ (Demilitarized Zone) is an isolated network segment placed between an internal network (such as IT or OT) and an external network (such as the internet).
The purpose of a DMZ is to shield sensitive systems while still making certain services or systems securely available from outside (e.g. for Remote Access, data exchange or Monitoring).
🧱 What does a DMZ do?
A DMZ:
- Isolates external access from the internal network
- Limits the risk of a breach: attackers do not land directly on the internal network
- Enables controlled communication between IT and OT, or between the internet and internal systems
📦 Examples of systems in a DMZ
| System | Function within the DMZ |
|---|---|
| Jump server | Centralised access to internal systems |
| Data broker / proxy | Forwarding SCADA/MES data to external parties |
| Historian replication | Synchronisation of process data to IT or cloud |
| Remote access gateway | Secured access for suppliers or maintenance teams |
| Web server / API gateway | Publishing services without direct access to internal systems |
🔐 How is a DMZ secured?
- Firewalls on both sides: one between DMZ ↔ internet, one between DMZ ↔ internal network
- Traffic whitelisting: only explicitly permitted communication
- Monitoring and logging: inspection of access and behaviour within the DMZ
- No direct connections between the internet and OT/SCADA systems
🔄 DMZ in industrial networks (Purdue model)
In an OT environment, the DMZ typically sits between:
✅ Benefits of a DMZ
- Improves network segmentation and security
- Enables secure external access without internal risk
- Supports compliance (e.g. ISO 27001, IEC 62443)
- Limits damage during a breach to the DMZ layer
📌 In summary
A DMZ is an additional security layer between the internal network and the outside world, enabling controlled access without exposing critical systems such as SCADA or MES directly.