DMZ (Demilitarized Zone)

A DMZ (Demilitarized Zone) in networking is a controlled network segment that sits between an internal network and an external or less trusted network, such as the public internet or a partner network. It is used to host systems that must be reachable from outside while limiting direct access to critical internal systems.

What a DMZ includes

In industrial and manufacturing environments, a DMZ commonly refers to one or more network zones that:

• Separate operational technology (OT) networks, such as control systems and PLCs, from information technology (IT) networks and the internet
• Host intermediary systems like jump servers, proxy servers, historians, application gateways, remote access gateways or edge nodes
• Apply strict, rules-based traffic control using firewalls, gateways, and monitoring tools

The DMZ is designed so that if a system in the DMZ is compromised, the attacker does not gain unrestricted access to internal business or control networks.

What a DMZ does not include

• It is not the core internal network where business applications, MES, ERP, and controllers normally reside.
• It is not a single product; rather, it is a network design pattern that uses multiple technologies (firewalls, routing rules, proxies, authentication services).
• It is not the same as simple port forwarding or a flat network segment with no access controls.

DMZ in OT/IT manufacturing environments

In regulated and industrial settings, DMZs are often used to manage data exchange and remote access between plant-floor systems and corporate or external services. Examples include:

• Placing an industrial historian or data broker in a DMZ between Level 3 (site operations) and enterprise IT networks to transfer production data
• Using a remote access gateway in a DMZ to allow vendors to service equipment without direct access to control networks
• Locating web front-ends, APIs, or file transfer services that must be reachable from outside partners but that only expose tightly controlled interfaces to internal MES or quality systems

Designs often align with recognized reference models for industrial control system segmentation, with separate firewalls and security policies on each side of the DMZ.

Operational considerations

In practice, managing a DMZ involves:

• Defining which services and protocols are allowed in and out, and from which source and destination networks
• Monitoring traffic and system logs for unusual activity
• Keeping DMZ systems hardened and updated separately from both internal and external networks
• Documenting data flows across the DMZ, especially where regulated data, audit trails, or electronic records are involved

Common confusion

• DMZ vs. VLAN: A VLAN is a logical network segmentation method. A DMZ is a security architecture concept that may use VLANs, but also requires firewalling, routing, and access control policies.
• DMZ vs. firewall: A firewall is a device or service enforcing traffic rules. A DMZ is the network zone created and protected by those rules.
• DMZ vs. air gap: A DMZ still allows controlled connectivity. An air-gapped system is physically or logically isolated with no routine network connection.

Relation to regulated manufacturing

Within regulated manufacturing, DMZs are commonly used to control how production data, batch records, quality data, or equipment configurations move between plant systems and enterprise or cloud services. Clear separation and documentation of DMZ traffic paths can support cybersecurity programs and audit readiness.