Firewall Zones The simplest zoning arrangement for a network protected by a firewall involves two zones - the WAN and the LAN. The WAN zone effectively means "The Internet". The firewall operates at the boundary between the Internet and the LAN. Diagramatically, it looks like this: Most serious business networks that have servers exposed to the Internet will instead use a zoning arrangement that includes a so-called Demilitarised Zone or DMZ. Traditionally, this used to be achieved using two separate firewalls arranged like this: Now, it is much more common for firewall devices to have multiple ports thereby allowing the WAN, LAN and DMZ zones to be interconnected through a single firewall/router unit as illustrated below: The idea is that servers in the DMZ can be reached from the Internet, albeit in a controlled manner. Workstations in the LAN can connect to servers on the Internet or in the DMZ. However, servers in the DMZ should not normally be able to initiate a connection to any device in the LAN (other than in exceptional and well defined circumstances). This means that the DMZ provides an extra layer of security. Even if a server in the DMZ is compromised and someone with malicious intent takes complete control of that server, they should not be able to access anything in the LAN.