DMZ是英文“Demilitarized Zone”的縮寫，它是為了解決安裝防火牆後外部網路不能訪問內部網路伺服器的問題，而設立的一個非安全系統與安全系統之間的緩衝區，這個緩衝區位於企業內部網路和外部網路之間的小網路區域內，在這個小網路區域內可以放置一些必須公開的伺服器設施，如企業Web伺服器、FTP伺服器和論壇等，另一方面，通過這樣一個DMZ區域，更加有效地保護了內部網路，因為這種網路部署，比起一般的防火牆方案，對攻擊者來說又多了一道關卡。自從防火牆出現以來，DMZ區已經是網路設計的標準組建。什麼樣的服務需要放到DMZ區？任何需要使用者從外網訪問的服務都可以放到DMZ區，常見的服務有：Web servers、Mail servers、FTP servers、VoIP servers....
As a general rule, a DMZ server should never contain any valuable data, so even if someone managed to break into a server in the DMZ, the damage would be minor.外網、DMZ區、內網訪問的控制策略

摘自Stackoverflow，To summarize - there are three "areas" - the big, bad outside world, your pure and virginal inside world, and the well known, trusted, safe DMZ.

The rules are:

1. Connections from outside can only get to hosts in the DMZ, and on specific ports (80, 443, etc);
2. Connections from the outside to the inside are blocked absolutely;
3. Connections from the inside to either the DMZ or the outside are fine and dandy;
4. Only hosts in the DMZ may establish connections to the inside, and again, only on well known and permitted ports.

DMZ區兩種主流的設計架構：單防火牆:
雙防火牆: