In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or logical [[Subnet|subnetwork]] that contains and exposes an organization's external-facing services to an untrusted, usually larger, network such as the [[Internet]]. The purpose of a DMZ is to add an additional layer of security to an organization's [[Local Area Network (LAN)|local area network (LAN)]]: an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is protected behind a [[Firewall|firewall]].^[[Control System Security DMZ | CISA](https://web.archive.org/web/20200609134629/https://www.us-cert.gov/ics/Control_System_Security_DMZ-Definition.html)] The DMZ functions as a small, isolated network positioned between the Internet and the private network.^[[What is a DMZ in Networking?](https://www.techtarget.com/searchsecurity/definition/DMZ)]