Firewalls may be used to create multiple zones of trust, such as a hierarchy
of increasingly trusted zones. A common arrangement involves three
zones of trust: the internal network, the DMZ (“demilitarized zone”); and
the rest of the Internet. The DMZ is used to hold services such as DNS
and email servers that need to be accessible to the outside. Both the internal
network and the outside world can access the DMZ, but hosts in the
DMZ cannot access the internal network; therefore, an adversary who
succeeds in compromising a host in the exposed DMZ still cannot access
the internal network. The DMZ can be periodically restored to a clean
state.