DMZ - Technical Details

Discussion in 'Networking Issues' started by RudeYute, Jan 13, 2007.

  1. RudeYute

    RudeYute LI Guru Member


    I'm going to be setting a machine on DMZ - in the hope to make it totally unsecure, as if directly connected to my modem, without the router or any firewall present - will this work?

    Also, as it's for a project, I was wondering if anyone knows where I can find some technical information explaining how DMZ works, and how it makes it open, and if any security measures are in place then I need to know about them, etc.

  2. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Well...where to start?

    Note 1: What Industry calls a DMZ
    The idea of a Demilitarized Zone (DMZ) is to, in the strictest sense, separate a device from other, more trusted or vulnerable devices by placing it in a separate network segment. By so doing, policies can be defined on the security appliance that establishes the DMZ that will provide different levels of protection to devices in the DMZ. The common thought with a DMZ is that devices in the DMZ should not be able to establish a connection with a device in more trusted parts of the networks by default, thereby eliminating the threat of a compromised device in the DMZ being able to wreck havoc on other parts of your network. Similarly, devices in the DMZ are typically the server side of client/server and the security appliance will allow the Internet to establish a connection to the DMZ host but not vice versa. Cisco devices that are configurable for separate hardware DMZ interfaces include the Cisco PIX 515E, 525, 535 as well as the newer ASA 5505 (new product...SOHO), 5510, 5520, 5540 & 5550 (new product....enterprise)

    Note2: SOHO Devices -- the Software DMZ
    That was common, best practices. However, the premise of a DMZ on a Linksys box (and other SOHO devices such as D-Link, SMC, Netgear, etc.) is that a device that is in the DMZ should have no protection, with the exception perhaps of DoS (Denial of Service) protection. Devices on the Internet should be able to initiate a connection with the device in the DMZ without being blocked. The cynic in me says that this was an early workaround to the problems with non-stateful, simple NAT firewalls where establishing a server "behind" the firewall was problematic at best. Online gamers, and anyone trying to run a server on the Internet would have big issues if the device didn't properly handle inbound connections to these devices. It was easier for manufacturers to just simply say "to heck with this", and create a simple rule where one device could be exposed. Any IP traffic, regardless of protocol, is forwarded to this "DMZ Host". Then the rule becomes much simpler...any inbound IP protocols: TCP, UDP, ESP, ICMP, whatever would be allowed to communicate with this exposed host. Only problem (still) is, the DMZ host is often on the same physical segment and shares the same subnet as other non-DMZ hosts. Compromise the DMZ host and you are now a privileged user on the INSIDE of the security to cause mayhem. This isn't as bad as it sounds since most smart people will have a software firewall (Windows XP SP2 Firewall is stateful, and not too bad) on the other inside hosts but you never know.... Examples in the Linksys line of this type of DMZ include WRT54G, WRT54GS, WRT300N, WRT350N, WRT54LSGS, WRV200. In the Cisco product line the Cisco PIX 501, 506E and ASA 5505 would be examples.

    Note 3: Hybrid DMZ
    Anyway, the software DMZ is a neat trick but --- and this might be just me --- an unnecessary vulnerability. Better to buy a box like the RV042 (like the one I'm using) which allows you the benefit of a separate segment and subnet where you can put your DMZ hosts. In this scenario, it's actually a hybrid of the last two ideas. By default the device in the DMZ *can* initiate a connection to inside hosts *but* this connection establishment is managed and inspected by the stateful firewall. The stateful firewall will provide protection against DoS as well as common Internet attacks such as FIN Scans, Pings of Death, Teardrop, Smurf, etc. If you're really paranoid, you can, for example, create separate rules on the RV042 (also the RV016, RV082 and WRV54G) which will deny connections being established by the DMZ host to the inside LAN if you want. This will not prevent hosts on the inside LAN (nor the Internet) to establish connections *to* the DMZ and essentially best practices anyway (see note 1)

    This is by no means a complete description but is based on my own experience with these things. This is also, in a nutshell, how I explain the different solutions to my customers.

    Google's your friend for definitions, BTW. Also check NIST, SANS, and NSA and use their search functions to look for a more authoritative description.

  3. CannibalSmith

    CannibalSmith LI Guru Member

    Does DMZ take precedence over port forwarding? That is, do Port Range Forward settings, which forward ports to the other non-DMZ machines, become useless in the moment I enable DMZ?
  4. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    No. Only ports that don't have a specific port-forwarding rule already configured for them will be forwarded to the DMZ host. In this way, port-fowarding and DMZ are complementary to one isn't "either one or the other".

  5. CannibalSmith

    CannibalSmith LI Guru Member

    Does your answer apply to ports auto-forwarded with UPnP too?
  6. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    I don't see why not. Whether the forwarding rules are configured statically or automatically should not make a difference. Of course, there's only one way of finding out....

  7. RudeYute

    RudeYute LI Guru Member

    Thanks Eric_Stewart. I'll look for something more referencable in the near future.
  8. coyle1

    coyle1 Guest

    my nat

    i have the linksys wrt300n wireless and i use xbox 360 wirelessly. i cant connect with some people. i asked a tech to help me and he said dmz which i have setup but i dont know what to put in source ip address and and destination ip address. please email me on what to put
  9. Strykerraven

    Strykerraven New Member Member

    You would make sure the xbox 360 has a static IP so that it gets the same IP everytime. After that you would put the xbox's static IP in the Destination area and leave the Source Address Restriction field empty.

    Per though; This method is not recommended and using UPnP is the better option:
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice