Link to home
Start Free TrialLog in
Avatar of belronan
belronan

asked on

Understanding DMZ

Hi Experts,

Just wondering could anybody explain DMZ to me, I know what it stands for but what is the point of it and what does it do.
And why would i need one.

ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of belronan
belronan

ASKER

Cheers Mate,

So is it in sense kinda like port forwarding then.

In a sense, although the overall design isn't restricted to just Port Forwarding since it also involves IP Routing as a whole.

For instance, the web server might have a public IP Address in that instance and the Firewall used to just restrict access to that IP. Equally it might use Port Forwarding and hide behind another IP address entirely.

A lot of how it is set up depends on the Hardware you're using as well as what you're trying to make publicly available.
It's very common to use a DMZ for any/all 'publicly accessible' boxes (web servers, ftp box, etc.) and then only allow specific traffic from the Internet to those boxes.  If someone is able to get in and hack your web server, for instance, they'll be locked into that DMZ network *and should NOT* have access to your corp/internal network.  Essentially, a DMZ is a way to get boxes behind your firewall, but NOT have them on your corporate network.  

With that in mind, you could have many, many DMZs if you so desired.

Chumplet
although that is a popular setup, the true origins of "DMZ" refer to computers that are connected to the internet without any firewall in front of them.  Web Servers, Mail Servers, IDS, etc... are usually put in DMZs because you have to open up access to the public.

Nowadays, routers and firewalls have DMZ ports, that "basically" allow total communication with the internet but alos do tracking.  It's similiar to port forwarding, but in a way.. it's also the opposite.  Port forwarding has to do with Network Address Translation where a single public IP would represent multiple services.  depending on the port, a NAT device would forward the request to a particular computer.

With DMZ, all ports are open all the time.  So no matter what the request, it gets forwarded to the same computer.  This makes NAT useless, and "port forwarding" not completely accurate.
>>When talking about networking this is a very secure section of your network where as little as possible is allowed.

This is wrong.  A demilitarized zone has very little security, and is removed from your network segment both physically and logically as a result.

The use and configuration of DMZ areas has changed over time somewhat. It is completely accurate to say it used to be an area with next to no security. But I personally haven't seen anywhere set-up like that for years, especially not after things like NetSky started flying around.

The main difference between a DMZ and the Private network these days tends to be that the DMZ is the only section that allows users from the Internet inside. It remains a good idea to only allow the minimum access to that section.

Perhaps in that respect DMZ is a bit of a misleading term?
It mainly use for keeping local network and public accessable servers saperatly to protect the internal network from public access.
Thanks all,

So im currently using port forwarding to access my Outlook web access and also occasionally my terminal server, so i should really put these two boxes in front of my firewall???

But then how do i connect them to my local network or do these boxes have to be closed off boxes that i would rarely if ever be updating.

Cheers
For Outlook / Exchange Microsoft supply the Front-End / Back-End Servers. Of course there is the additional cost of an extra server with an extra copy of Exchange etc. But this is on the only way Exchange will let you have a more secure version in a DMZ. Exchange is too reliant on Active Directory to be moved outside the LAN otherwise.

For the Terminal Server, have you considered some kind of VPN type connection rather than opening it up completely?