how-to block ads
One way to create a DMZ is with a machine that has three NICs in it -- one for the WAN connection, one for the DMZ network and one for the internal network. This is one method of creating a DMZ, but it is not the preferred method. This configuration allows the security of all three networks to lie in one system. If your machine containing all three NICs is compromised, so is your DMZ and your private network. Basically, you are allowing the Internet to "touch" the very same machine that determines how secure your internal LAN is, and this is not a good thing.
A better way to do this is with three separate networks. The way this is accomplished is with two "firewall" devices -- one on the border of your WAN and one on the border of your internal network. Let us say that you have a broadband router/switch and a Checkpoint firewall. You would put your router/switch on your border (right behind your modem). That becomes your DMZ switch. You use one of the ports to connect your bastion host/public server. This is the machine that is running the service that you want people to be able to connect to from the outside. This may be a website, an FTP server or a multi-player game. You want this machine to be hardened to some degree, meaning that it is all the way patched and is not running anything that is vulnerable (although the border device affords it some protection via NAT). As a general rule, though, you want anything put in the DMZ to be resistant to attacks from the Internet since public access is the reason that you are putting it out there in the first place.
Now, to that same switch, you are going to attach another network cable that goes to your Checkpoint firewall. Your firewall (this is going to be the better of the two firewalls that you have, so if you have a Checkpoint and a Netgear, you should use the Netgear on the border and the Checkpoint box on this one) is going to have two NICs in it -- one for the DMZ side and one for the private LAN side. Connect the cable to the DMZ side of the internal firewall, and on the other side of the firewall (the private LAN side), you connect a cable to another hub/switch that all of your LAN computers will connect to.
If that was confusing, think of it this way:
Internet to Modem
Modem to Router
Router to DMZ Hub/Switch
DMZ Switch to WEB/FTP/Game Server
DMZ Switch to Firewall External NIC
Firewall Internal NIC to Internal Hub/Switch
Internal Hub/Switch to Internal Systems
What this does is allow you to completely segment your network in terms of trust. You can initiate connections to the DMZ and to the Internet, but neither of those two networks can initiate connections to you. Essentially, you are saying that you don't trust those two networks, and they are considered completely separate from your internal LAN. This way, if your Host in DMZ is compromised, the intruder will not be able to compromise the other computers in your LAN.
The power is further extended by the fact that you can use NAT on your border device to pass only the ports needed into your DMZ. So, if you are only running a web server, then you only pass TCP 80 to your DMZ machine running that daemon; all other connection requests are refused at the border router/firewall.
Feedback received on this FAQ entry: