Distinction between an extranet and a DMZ [closed]

I've been reading about intranets, extranets, DMZs and VPNs now, and I'd need some clarifications related to extranets and DMZs. I understand that they are different types of concepts - extranet allows limited access to some intranet resources, while DMZ is a subnet that sits between the internet and intranet and hosts the external-faced services. However, I'd like to know what is their distinction in practice in a usual setup? The Wikipedia article on extranets says that extranets are similar to DMZs because they are used for the same purpose (providing access to some services/resources without exposing the whole intranet). The article also states that an extranet is a part of a VPN, and this TechNet article also states that extranet access is often implemented similarly to remote intranet access, e.g. with a VPN. The TechNet article also says that commonly the extranet is hosted inside the DMZ. This Pearson article says "Although [the DMZ] is technically located within the intranet, [it] can serve as the extranet as well". This is slightly confusing.

Consider this scenario: A company has a B2C website hosted in the DMZ. The website can be accessed from anywhere, but requires user authentication. The underlying web app has its database inside the intranet and also interacts with some web services that are hosted inside the intranet (i.e. it accesses intranet resources). The way I see it, the website does effectively offer a restricted access to the intranet. But can it be considered an extranet? If we take the Wikipedia definition of an extranet literally - "An extranet is a computer network that allows controlled access from outside of an organization's intranet" - I think it can.

Let's say that the above can't be considered an extranet. What if we change the scenario slightly, and say it's a B2B website, where the access is e.g. limited to connections coming from a specific business partner (by using site-to-site VPN, for example). In this case it surely is an extranet, right? If this is the case, then the difference between extranet services and any other services hosted in the DMZ is simply access restrictions?


These are academic distinctions. In the real world, you will find some combination of all of these concepts going by different terms.

In some organizations, a DMZ has a separate ISP network connection and has no access to internal resources. In other organizations, there are domain-joined machines in the DMZ that can communicate to a restricted set of internal machines. Sometimes internal and DMZ have separate firewalls. Sometimes they have separate interfaces on the same firewall.

It is important to know why someone should use an extranet or DMZ, because those are the security concepts that matter. From there, you can make a choice about how to allow access to certain resources. What it is actually called doesn't matter. In some cases, it is splitting hairs.


I don't think I've recently heard of an extranet outside of textbooks and class rooms.

A DMZ is a common networking topology with a network segment that is segregated by firewalls from the internal network and untrusted external networks (aka the internet).

In contrast the Extranet, if it is actually included in the network design, implies somewhat that it is connected to VPN's or actual private networks instead of the whole of the greater internet.

Many companies have multiple DMZ networks and would consider a network with a VPN gateway/router or a private interconnect just another DMZ.

More often an extranet is/was not so much a network topology but more implied to be a service separate from the internal network that is provided for a restricted set of somewhat trusted, known and/or authenticated external users, companies and networks.

From a networking perspective your webserver should reside in the DMZ network. The fact that your website allows your resellers to log in, browse your catalog, view stock and order, would mean that your website would be called an extranet by marketing departments. Development cost would go from $$ to $$$$.


For me, I boil this down to security policy. We have written policy that no publicly accessible system will have inbound access to the intranet unless specific exception is authorized. We also have a policy that the DMZ will not have inbound access to our intranet and that our extranet does. For example, we have a web server with backend database that must sync data with an intranet-based database. We put the web server on the DMZ, the backend database on the Extranet, and it syncs with the production intranet database. So for trust rating, public network would be 0, DMZ would be 1, Extranet would be 2, and intranet would be 3.