What's DMZ used for in a home wireless router?

24

10

As far as I understand, by using DMZ you expose all of the host computer's ports to the Internet. What's that good for?

guillermooo

Posted 2009-08-03T12:15:18.750

Reputation: 2 093

Answers

24

The DMZ is good if you want to run a home server that can be accessed from outside of your home network (ie web server, ssh, vnc or other remote access protocol). Typically you would want to run a firewall on the server machine to make sure only the ports that are specifically wanted are allowed access from public computers.

An alternative to using the DMZ is to setup port forwarding. With port forwarding you can allow only specific ports through your router and you can also specify some ports to go to different machines if you have multiple servers running behind your router.

heavyd

Posted 2009-08-03T12:15:18.750

Reputation: 54 755

1Is it possible to skip the router and connect directly? What if the port is like a phone cable or a coaxial cable? – CMCDragonkai – 2015-05-11T06:52:38.410

20

Please be careful. DMZ in a corporate/professional environment (with high-end firewalls) is not the same as for a home wireless router (or other NAT routers for home use). You may have to use a second NAT router to get the expected security (see the article below).

In episode 3 of the Security Now podcast by Leo Laporte and security guru Steve Gibson this subject was talked about. In the transcript see near "really interesting issue because that's the so-called "DMZ," the Demilitarized Zone, as it's called on routers.".

From Steve Gibson, http://www.grc.com/nat/nat.htm:

"As you might imagine, a router's "DMZ" machine, and even a "port forwarded" machine needs to have substantial security or it will be crawling with Internet fungus in no time. That's a BIG problem from a security standpoint. Why? ... a NAT router has a standard Ethernet switch interconnecting ALL of its LAN-side ports. There's nothing "separate" about the port hosting the special "DMZ" machine. It's on the internal LAN! This means that anything that might crawl into it through a forwarded router port, or due to its being the DMZ host, has access to every other machine on the internal private LAN. (That's really bad.)"

In the article there is also a solution to this problem that involves using a second NAT router. There are some really good diagrams to illustrate the problem and the solution.

Peter Mortensen

Posted 2009-08-03T12:15:18.750

Reputation: 10 992

2@hyperslug: actually, with DD-WRT you could configure the DMZ on a completely separate subnet and VLAN. isolate it entirely from the rest of the network, or configure it so access to the DMZ VLAN from the rest of the internal network is firewalled/NAT'd like traffic from the WAN. that's getting into a complicated configuration, but it is possible with DD-WRT/OpenWRT. – quack quixote – 2010-02-12T20:56:21.020

3+1. The point of DMZ is to separate a potentially compromised machine from the remainder of the internal network. Even DD-WRT can't help you here, b/c attacks originating from the DMZ don't pass through the router's ruleset, they just hit the switch. DMZ is an illusion unless it's on a separate physical connection. – hyperslug – 2009-08-03T19:24:54.177

@quack, the switch isn't port specific, it's a regular switch. So my compromised machine can attack any other machines on the switch w/out being filtered through a router rule. Regarding the VLAN, I believe I could change the IP (or MAC) on my compromised machine to something on the internal network and hack away. The 4 ports on the back of some high-end routers behave as 4 NIC's not a 4-port switch, so a rule can be set up like block all traffic from #4 to #1,#2,#3 which is impossible w/ a L2 switch. – hyperslug – 2010-07-24T18:54:09.880

12

A DMZ or "de-militarized zone" is where you can set up servers or other devices that need to be accessed from outside your network.

What belongs there? Web servers, proxy servers, mail servers etc.

In a network, the hosts most vulnerable to attack are those that provide services to users outside of the LAN, such as e-mail, web and DNS servers. Because of the increased potential of these hosts being compromised, they are placed into their own subnetwork in order to protect the rest of the network if an intruder was to succeed. Hosts in the DMZ have limited connectivity to specific hosts in the internal network, though communication with other hosts in the DMZ and to the external network is allowed. This allows hosts in the DMZ to provide services to both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients.

Bruce McLeod

Posted 2009-08-03T12:15:18.750

Reputation: 5 490

1

In computer networks, a DMZ (demilitarized zone), also sometimes known as a perimeter network or a screened subnetwork, is a physical or logical subnet that separates an internal local area network (LAN) from other untrusted networks, usually the internet. External-facing servers, resources and services are located in the DMZ. So, they are accessible from the internet, but the rest of the internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts the ability of hackers to directly access internal servers and data via the internet.

user927671

Posted 2009-08-03T12:15:18.750

Reputation: 11

Asked: 2009-08-03T12:15:18.750

Viewed: 168 202 times

Active: 2018-07-26T11:22:38.533