This is often useful to establish a zone that doesn't belong to anyone and exists only as a haven in which data or applications can exist. Such a space is often called a DMZ, borrowing again from the lexicon of the military. DMZ requires firewalls with three or more interfaces, rather than the typical public and private interfaces. In this way, one of the interfaces is connected to the corporate network, the second is connected to the PCN network, and the remaining interfaces are connected to the devices or the resources to be shared. This scenario is shown in the following diagram:
By placing shared devices or resources in the DMZ, no direct communication is required from the corporate network to the control network. Most firewalls allow for multiple DMZs to forward the traffic between the zones according to specific rules. The firewall does not allow arbitrary packets from the corporate network to enter into the control network. It also regulates the traffic from the other network zones.