Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help explain how a DMZ works!


  • Please log in to reply
7 replies to this topic

#1 David Ashcroft

David Ashcroft

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 18 February 2014 - 05:38 PM

Hi all! 

 

I have to explain how a DMZ works, now my general understanding is that a DMZ contains devices that generally need to provide external services such as Email, Web Servers etc... Any external users trying to access the internal network should only ever have access to the DMZ zone, any hackers attackers should only ever be able to compromise the items that are in the DMZ...The DMZ is sometimes protected by a firewall, but the internal protected LAN should always be protected by a firewall.

 

I would think that the general idea is that you have the following setup:

 

INTERNET COMING IN-----> ROUTER -------> FIREWALL ------> DMZ -----> FIREWALL -----> INTERNAL PROTECTED LAN

 

So the idea is that you have the internal coming in and connected to a simple router to route the incoming traffic to the firewall, the first firewall is the first level of protection and allows people/users to access the DMZ. Anybody wishing to get further into the network needs to get through the seconds firewall which has more restrictions in place to get to the internal network.

 

Am i on the correct lines with this? 

 

If not can someone clarify how it works to me as i need to explain in detail the best setup for a DMZ and why i think it is the best setup with references (for a university task).

 

Thanks in advance and i look forward to hearing your replies! 



BC AdBot (Login to Remove)

 


#2 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 PM

Posted 18 February 2014 - 06:42 PM

you got it correct.


Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#3 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:45 PM

Posted 19 February 2014 - 11:46 AM

Hi all! 
 
I have to explain how a DMZ works, now my general understanding is that a DMZ contains devices that generally need to provide external services such as Email, Web Servers etc... Any external users trying to access the internal network should only ever have access to the DMZ zone, any hackers attackers should only ever be able to compromise the items that are in the DMZ...The DMZ is sometimes protected by a firewall, but the internal protected LAN should always be protected by a firewall.
 
I would think that the general idea is that you have the following setup:
 
INTERNET COMING IN-----> ROUTER -------> FIREWALL ------> DMZ -----> FIREWALL -----> INTERNAL PROTECTED LAN
 
So the idea is that you have the internal coming in and connected to a simple router to route the incoming traffic to the firewall, the first firewall is the first level of protection and allows people/users to access the DMZ. Anybody wishing to get further into the network needs to get through the seconds firewall which has more restrictions in place to get to the internal network.
 
Am i on the correct lines with this? 
 
If not can someone clarify how it works to me as i need to explain in detail the best setup for a DMZ and why i think it is the best setup with references (for a university task).
 
Thanks in advance and i look forward to hearing your replies!


What you describe is referred to as a "Dual Firewall" DMZ. It is a true DMZ and essentially the best way for it to be setup.

If you are trying to ask about so-called DMZ zones that you see in most home routers, then that is referred to as a "DMZ host" and is not really a true DMZ as the computer in the DMZ can still talk to "internal" network computers…UNLESS you do something beyond just the router (i.e. setup firewall software on each computer or setup some hardware firewall between the router and the "internal network". You can in essence turn a DMZ host through a home router kind of into a Dual Firewall DMZ if you have software firewalls running on all the computers including the computer(s) in the DMZ and have all the software firewalls on the "internal network" computers setup to block all traffic from the DMZ computer(s), but as I understand it, a "true" Dual Firewall DMZ would be using hardware firewall devices.

http://en.wikipedia.org/wiki/DMZ_(computing)#DMZ_host

#4 David Ashcroft

David Ashcroft
  • Topic Starter

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 19 February 2014 - 01:35 PM

So does that mean if for example someone on the secure internal network wanted to load google.com, they would have to go through the firewall, through the DMZ, through the next firewall, to the router etc...So basically everything requesting outside access from the secure internal network would still go through the DMZ? 

 

Thanks! 



#5 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:04:45 AM

Posted 19 February 2014 - 02:42 PM

Your post is correct for one type of corporate DMZ (with two firewalls between the LAN and Internet, with the DMZ in the middle).

 

Another simpler design has a single firewall with three interfaces - One on the Internet (aka. WAN), One on the LAN, and one for the DMZ. In this case Firewall rules determine how the systems on each zone can talk to each other. Best practice would say that you only publish services on the Internet that are terminated in the DMZ. If the DMZ systems need access to LAN servers (they probably will), then you open up as little access from the DMZ to the LAN as you can to facilitate this. Generally outbound access (LAN->WAN, LAN-> DMZ and DMZ->WAN) is liberal, and inbound access (WAN->DMZ, DMZ->LAN and WAN->LAN) is tightly contolled with LAN->Wan probably being entirely blocked.

 

Whilst saying above that outbound access is generaly fairly liberal, there are big advantages on blocking unnecessary protocols.

 

x64



#6 David Ashcroft

David Ashcroft
  • Topic Starter

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 21 February 2014 - 11:54 AM

Thanks for the help so far! I have to come up with the most secure possible solution, and surely having two firewalls in place would be the most secure? (dual firewall DMZ) That is just my assumption so let me know if i am wrong! :) 

 

If i went for just one firewall with 3 interfaces, would the firewall be setup to have 3 different ranges? For example:

 

Port 1 - Link to Secure internal network: 172.16.1.0/24

Port 2 - Link to DMZ devices: 172.16.2.0/24

Port 3 - Link to Router that us connected to the Internet: 172.16.3.0/24

 

Also, would each network require a DHCP server, or can firewalls generally be setup for DHCP? 

 

Sorry if i sound stupid, all my knowledge is all conceptual so as I have never put any of this into practice i may sound a little silly, bare with me haha!  



#7 daveydoom

daveydoom

  • Security Colleague
  • 108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:11:45 PM

Posted 21 February 2014 - 04:16 PM

If i went for just one firewall with 3 interfaces, would the firewall be setup to have 3 different ranges? For example:

 

Port 1 - Link to Secure internal network: 172.16.1.0/24

Port 2 - Link to DMZ devices: 172.16.2.0/24

Port 3 - Link to Router that us connected to the Internet: 172.16.3.0/24

 

 

The idea is correct, yes :)  .  Although if I'm understanding correctly, Port 3 would be the connection from your modem to your firewall so that port would not have it's own private subnet.    

 

My home network can be set up as outlined below.   I don't have a DMZ, only wireless and wired devices on different subnets.  I have no need for a DMZ at this time.   Keeping the internal network and the DMZ on separate subnets ensures the safety of the internal LAN :)  .   I can access the wireless subnet and the DMZ (if set up) from my wired subnet but I cannot go the other way around without adding "rules" on the firewall and opening pinholes.

 

Internet --> Modem --> SmoothWall Firewall Appliance --> DMZ on one subnet (using a dedicated switch)

                                                                                      --> Wireless network on a different subnet (using a Wireless Access Point)

                                                                                      --> Wired network on a different subnet (using a dedicated switch)


Edited by daveydoom, 21 February 2014 - 04:19 PM.

"A computer beat me in chess, but it was no match when it came to kickboxing"
-Emo Philips

unite_final.png


#8 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:04:45 AM

Posted 21 February 2014 - 05:27 PM

Thanks for the help so far! I have to come up with the most secure possible solution, and surely having two firewalls in place would be the most secure? (dual firewall DMZ) That is just my assumption so let me know if i am wrong! :)

 

If i went for just one firewall with 3 interfaces, would the firewall be setup to have 3 different ranges? For example:

 

Port 1 - Link to Secure internal network: 172.16.1.0/24

Port 2 - Link to DMZ devices: 172.16.2.0/24

Port 3 - Link to Router that us connected to the Internet: 172.16.3.0/24

 

Also, would each network require a DHCP server, or can firewalls generally be setup for DHCP? 

 

Sorry if i sound stupid, all my knowledge is all conceptual so as I have never put any of this into practice i may sound a little silly, bare with me haha!  

 

The three legged firewall yould be easiest to understand. Back to back firewalls might be a bit of a handful for an inexperienced admin.

 

Just having a firewall does not mean you are secure (and having TWO firewalls does not mean you are TWICE as secure :rolleyes: )

 

The most signifificant part of the security of a firewall is the firewall rules - I have seen some VERY good techies put absoutely awful holes in firewall configs, because it's not their speciality... I'd suggest keeping it simple.

 

For the IP ranges

Lan interface - your LAN IP addresses whatever they are, DBCP would come from withinyour LAN.

WAN interface: this would be the public range asigned by your ISP. There is usually little use for DHCP here - the IP addresses are usually all static.

DMZ interface: either another private range of IP addresses (from 172.16-31.x., 192.168.x.x ,or 10.x.x.x ranges, and a NAT relatioship between DMZ and WAN interfaces) or the same IP addresses as the WAN interface (and a transparent relationship between WAN and LAN interfaces). Again there is usually little use for DHCP here - the IP addresses are static.

 

x64






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users