Hello Nihar
Enterprise networks that host their own Internet-facing services, such as web servers for example, will typically use a DMZ. This is because the security features required to protect internal hosts are generally different than those required to protect internet-facing servers. Because of this difference, it is generally more convenient to separate these types of hosts into two different regions, specifically, the inside network and the DMZ.
Specifically, the internal network contains hosts that:
- are end-user devices (PCs, laptops, IP phones, tablets, smartphones etc…)
- require access to the internet
- have extensive filtering to regulate what content from the internet is accessible by the hosts
- block all access from the internet to the inside hosts
Conversely, devices in the DMZ are hosts that:
- must be accessible from the internet
- have much fewer filtering rules, but still maintain some level of filtering for security
Because of these differences, it is much more convenient to apply these rules to whole subnets/network segments (inside and DMZ) and segregate them rather than applying these rules on an IP by IP address basis.
In addition, if a server in the DMZ does become compromised by an attack, any such attack will be confined to the DMZ and will not affect the Internal network. If the servers were on the same subnet as the end-users, then any attack may also affect other devices on the subnet.
Although it is possible to have all devices be on the inside network, for the reasons mentioned, it is best practice to segregate your network into the DMZ and the internal network. It is easier to manage and more secure.
I hope this has been helpful!
Laz