On my ADSL router firewall configuration there are 3 interfaces - Public, Private and DMZ and one can apparently specify ALL.
I understand Public as the Internet side, Private as my home LAN side and I don't really understand DMZ for which there are default rules set up.
I have my single port router (Ethernet) connected to my main computer, which has two ethernet ports, on eth1. The home LAN is connected to the other ethernet port eth0. This computer masquerades for the other computers on the network.
Do I really need the DMZ rules?
Barry Samuels http://www.beenthere-donethat.org.uk The Unofficial Guide to Great Britain
On 2003-12-09 15:08:53 +0000 Barry Samuels bsamuels@beenthere-donethat.org.uk wrote:
On my ADSL router firewall configuration there are 3 interfaces - Public, Private and DMZ and one can apparently specify ALL.
I understand Public as the Internet side, Private as my home LAN side and I don't really understand DMZ for which there are default rules set up.
I have my single port router (Ethernet) connected to my main computer, which has two ethernet ports, on eth1. The home LAN is connected to the other ethernet port eth0. This computer masquerades for the other computers on the network.
Do I really need the DMZ rules?
At a *VERY* rough guess I'd say the the "DMZ" sets up the rules for traffic forwarding etc from internal to external and vice versa, the equiv of ipmasq and family. You'll probably find if you kill the rules the outside will disappear to you.
Cheers,
Brett
Right DMZ's De-Militarized Zones
Say you have two networks say an untrusted one such as the internet and a trusted one such as your home network.
You have a service on your trusted network that you want to provide to the untrusted one, the quick and dirty way to do this is port forwarding.
This way traffic bound for say a web server on the entry point of your router to the untrusted network (your external IP address) gets redirected to a specific machine on your trusted network.
The trouble with this approach is that if this specific machine gets compromised (or the attacker manages to confuse the port forwarding) then the attacker has potentially gained access to your entire trusted network.
So what you do is have 3 networks rather than 2, a trusted one, an untrusted one and a DMZ. In a "proper" set up these would actually be separately wired networks either vlan'd off or actually on separate switch hardware. But in most of the home gateway routers I have seen it's simply a different subnet for the Trusted and DMZ networks.
Now all of the machines that you want to serve the untrusted network sit in the DMZ, with VERY specific rules about how the DMZ interfaces can talk to your trusted and untrusted networks.
This way if an attacker compromises one of your external services, they still need to fight your firewall before getting access to your trusted network.
What you will probably be doing is using the "main" computer to provide external services anyway. In this case there is little advantage to using a DMZ.
On Tuesday 09 December 2003 19:34, Wayne Stallwood wrote:
Right DMZ's De-Militarized Zones
Say you have two networks say an untrusted one such as the internet and a trusted one such as your home network.
(snip)
Thanks Wayne - that's the first time I've seen an intelligible explanation of DMZ. When you say "VERY specific rules" does this mean simple port forwarding rules or something more arcane? (Not that I know how to set up rules anyway; I just assume it's simple.)
-- GT
On Tuesday 09 December 2003 20:25, Graham Trott wrote:
When you say "VERY specific rules" does this mean simple port forwarding rules or something more arcane?
Not really, more that I was trying to imply that you should be carefull to allow only what is needed.
Essentially you should treat your untrusted network <> DMZ <> trusted Network rules as carefully as you would treat the ones at a border gateway. Allow too much from the DMZ to the trusted and you are eliminating the whole security advantage of the DMZ in the first place.
Glad you found it helpfull anyway :o)
Wayne Stallwood wrote:
Right DMZ's De-Militarized Zones
<snip>
Thanks for that description, I never did understand what a DMZ was.
Wayne Stallwood ALUGlist@digimatic.plus.com wrote:
Right DMZ's De-Militarized Zones
[snip]
What you will probably be doing is using the "main" computer to provide external services anyway. In this case there is little advantage to using a DMZ.
Wayne
Thank you very much for that eminently intelligible explanation. I actually understood it.
None of my computers, main included, will be offering services to the internet. Having said that I may want to provide access to ssh at some later stage so that I could access my computer when I'm away from home.
DMZ appears to be something I don't really need at present.
Barry Samuels http://www.beenthere-donethat.org.uk The Unofficial Guide to Great Britain
-
Ben Francis -
Brett Parker -
bsamuels@beenthere-donethat.org.uk -
Graham Trott -
Wayne Stallwood