9

If I set up a Windows 10 PC with a software firewall (TinyWall, which is a front end for Windows Firewall) and blocked all traffic except for a few applications and ports I would be using (Minecraft server and Plex server), would it be safe to put my machine into my router's DMZ? Would the PC, its data, or my home network be vulnerable to outside attacks?

Anders
  • 64,406
  • 24
  • 178
  • 215
Atlantic
  • 93
  • 1
  • 1
  • 4

1 Answers1

15

If you router offers a real DMZ then the rest of the network would be safe even if your Windows PC is compromised. A real DMZ is a separate network which has no or only very restricted access to the internal network.

But, what most SoHo routers call DMZ is actually an exposed host, i.e. traffic from outside is forwarded to a single host inside the internal network and not into a separate network. Since this exposed host is inside the internal network and has full access to the network this setup can not be considered safe because the compromise of the exposed system could also affect the security of the other (non-exposed) systems inside the same internal network.

A real DMZ requires that the router itself provides an additional network for such exposed devices which has no access to the internal network. This network should also be physically or logically separated from the internal network, i.e. different usually with a different physical ethernet port but maybe only with VLAN. If the router only offers to forward everything to a single device inside your internal network (i.e. exposed host) you might try to make the best of it with a strictly configured additional router as exposed host which then tries to offer the real DMZ network. But since the router is placed inside the internal network you have to be really careful with the configuration so that DMZ devices cannot access the internal network.

As for the security of the exposed system itself: Even if only the Minecraft and Plex server would be reachable from outside I would not believe in security since in the past there were exploits for Minecraft server and exploits for Plex.

Apart from that most attacks against normal systems like yours are not caused by direct hacks against the system from outside but by the user inadvertently putting malware on the system by browsing (drive-by-downloads) or reading mail and opening links or attachments (i.e. from phishing mails). And the simple Windows firewall will in no way protect against this. Antivirus and similar will help better against this malware but also cannot achieve full coverage.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    Fantastic. Thank you for detailed response. I will take all of this into consideration! – Atlantic Apr 30 '16 at 21:28
  • I will be using the stock Google Fiber router. At this [help page](https://support.google.com/fiber/answer/6004732?hl=en), there seems to be an indication that the DMZ provided by the router does indeed isolate the PC ("Place web or game server in the DMZ to isolate it from the rest of your Fiber network."). Is there any way I can to confirm this? Additionally, the page mentions using a second router in some configurations; would such a configuration be beneficial to a scenario such as mine? – Atlantic Apr 30 '16 at 21:32
  • @Atlantic: from https://support.google.com/fiber/answer/4650342 it looks more like exposed host and not a real DMZ: you can only configure a single device to serve as DMZ. A real DMZ would be a separate interface at the router which is not the case here. You can make kind of a DMZ out of it if you setup a router/firewall as the DMZ device and then make sure with routing rules that it can only access the outside and be accessed from the outside and has no access to the internal network. But this does not provide the same security as a real DMZ because this router is inside the internal network. – Steffen Ullrich May 01 '16 at 04:55
  • Is there an easy way to identify these "real DMZ" routers? – raphael May 21 '18 at 23:26
  • 2
    @raphael: Take a close look at the documentation of the routers. If they just forward traffic from outside to a specific system *inside the same network as the other systems* it is not a real DMZ but just an exposed host. A DMZ should be a network separated from the rest. If some router has this more advanced feature it is very likely it will also be described properly. – Steffen Ullrich May 22 '18 at 04:40