Typical Web Architecture.

In computer security, a demilitarized zone, named after the military usage of the term and normally abbreviated to DMZ; also known as a Data Management Zone or Demarcation Zone or Perimeter Network, is a physical or logical subnetwork that contains and exposes an organization's external services to a larger, untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than the whole of the network.

See more: DMZ - Wikipedia

A DMZ is typically used to locate servers that need to be accessed from outside, like e-mail servers, Web and DNS.

Here is a Dual firewalls DMZ typical for enterprise web applications:



Typically, the DMZ is located between two firewalls and connects these.
The first firewall (also called the "front-end" firewall) must be configured to allow both traffic destined both to the DMZ as well as to the internal network. The second firewall (also called "back-end" firewall) allows only traffic from the DMZ to the internal network. The first firewall handles a much larger amount of traffic than the second firewall.

The application server and database are protected with this schema