DMZ

A DMZ (screened subnet) holds internet-facing services — web, mail, DNS — between firewall boundaries so a compromise there can’t directly reach internal data. DMZ hosts should be hardened and minimally privileged; modern designs increasingly replace the single perimeter DMZ with micro-segmentation and zero-trust controls.