DMZ (Network)

In networking, a DMZ (demilitarized zone), also called a perimeter network or screened subnet, is an isolated subnet that sits between the untrusted internet and your trusted internal network. Its purpose is to host the services that must be reachable from outside, while keeping them logically separated from sensitive internal systems. If an exposed server is compromised, the attacker lands in the DMZ rather than directly inside the LAN, which sharply limits how far the breach can spread.

What lives in a DMZ

Typical DMZ residents are exactly the public-facing services a self-hoster runs: web servers, mail servers, reverse proxies, public DNS, and VPN or file-transfer endpoints. Internal resources such as databases, file shares, and workstations stay on the private network and are never directly exposed. The standard pattern is a firewall enforcing two boundaries: a permissive set of rules for internet-to-DMZ traffic, and a far stricter set for DMZ-to-internal traffic, so a captured web server cannot freely reach the database it talks to.

Why it matters for sovereignty

A DMZ is the practical embodiment of the principle that exposed and trusted systems should never share a security boundary. For a sovereign operator running services from home or a small rack, segmenting a DMZ, often as its own VLAN with its own subnet, contains the blast radius of any single compromise. It is enforced and shaped entirely by the rules you configure on your firewall.