In a residential network, we differentiate the local area network (LAN) from the wide area network (WAN), which is also called the internet. It is crucial to keep the two separate, which is done at the level of the router, via a firewall. After all, nobody wants the hackers of the internet getting into their computers and data.
The DMZ stands for the demilitarized zone; it is sometimes referred to as a perimeter network. Like a geographic border area between two opposing forces (like North and South Korea, for example), the networking DMZ is a subnetwork that acts a buffer between the LAN and the WAN. This DMZ subnetwork can either be an actual physical networking area, or a logical subnetwork. The goal is to put resources that need close access to the WAN in the DMZ, while the rest of the LAN can be more fully protected with an additional barrier.
There are a number of resources that can be placed in a DMZ, and they are services that are provided to users on the internet. These include web, email, FTP and VoIP. Some gamers prefer to put their gaming console boxes in a DMZ, which can be simpler to configure, and not require manual port forwarding to be configured and reconfigured.
Architecturally, there are two basic methods to create a DMZ: single firewall and double firewall. The single firewall approach is the simpler to construct, and also known as the three legged model. In this approach, the router connects to the WAN with its firewall, with the DMZ behind it, and the LAN behind the DMZ. The significant downside is that a single firewall is controlling all the traffic, and there is no additional protection between the DMZ and the LAN. As the DMZ is designed to allow traffic in, this facilitates hackers from getting into the DMZ and then using that to get into the LAN, making this inherently the less secure approach.
The second method for creating a DMZ is the double firewall approach, which is inherently more secure. In this construct, there is a firewall between the WAN and the DMZ, and this is called the front-end firewall. This first firewall gets configured to allow the traffic to the DMZ. Then there is a second firewall between the DMZ and the LAN, and this gets called the back-end firewall. As two separate firewalls would need to be compromised to allow access to the LAN, it is considered more secure. Often, the two firewalls used are from two different vendors, which gets referred to as “Defense in depth.” The disadvantage of this construct is that it increases the cost, and complexity of configuration.
The average home user will not likely need to set up a DMZ. This is even more true these days with the ubiquitous availability of cloud services, such as Google Drive or Box that can be run to share files. For a more advanced user, however, there may be some occasions where a DMZ is the preferred solution, such as running a home server, assuming the ISP allows this as many do not on a residential plan. Unfortunately, it is not a simple task to create a DMZ, as many home routers do not offer this option.
Although it is uncommon among routers to support DMZ creation, there are some higher end routers do offer the option for creation of a DMZ. I can confirm that the Asus AC5300 definitely supports this feature, and some research online shows that TP-Link and D-Link can be enabled for a DMZ on some of their routers. Another option is via a RaspberryPi, which has the advantage as this little computer that can is quite power efficient, and can work with an existing router. It can also be done via open source router firmware, such as DD-WRT. Realize that setting up a DMZ is essentially opening up a portion of the network to the internet, so care must be taken as to what is attached to such a portion of the network, and it should never contain more data than what is needed for the specific designated task.
The concept of a physical DMZ has been around for a while. In this pure implementation, the DMZ sits on its own physical server. Currently, DMZ’s are not implemented so purely, but the concepts of layered security and defense in depth still get used in what gets termed a multi-zoned DMZ which provide multiple layers to protect the LAN as separate components.
Feel free to share your experiences and implementations with the DMZ in the comments below, including what you use your DMZ for in your home network.
This article was contributed by the DSLReports.com community. If you'd like to receive payment for writing content like this for our front page, please drop us a line.