Solved

Create an internal LAN DMZ

Posted on 2010-08-16
12
834 Views
Last Modified: 2013-11-16
I want to create an internal DMZ on my LAN, such that I can use 1 of my extra ports on my TZ210w so that I can connect client PC's to the internet, but that are unable to access any other network resources on my LAN. From time to time we get client machines infected with the normal range of malware and what not, so I need to have them connected to update removal programs, but I want to keep them from my day to day resources. I've tried everything I can think of, but do not get a connection.

Thanks!
0
Comment
Question by:microsymplex
  • 6
  • 5
12 Comments
 
LVL 5

Expert Comment

by:truromeo4juliet
ID: 33448250
I think your conception of a DMZ is a bit skewed. A DMZ (demilitarized zone) is a computer that's placed outside the protection of a router's firewall, to allow all inbound traffic from outside the router to hit the PC normally without firewall restriction.

One thing you can do to resolve your issue is to setup a unique workgroup for your network (example: FIXINGSTUFF), and manually assign subnetting, etc...

From my 16 years (and 3000+ virus removal procedures) of computing experience, however, most PC's that are attached to a common network will NOT have a malware issue unless the customer is infected with a worm (very rare). Most infections that are spread in a computer repair shop environment are spread through plugging in USB drives and then moving those drives to other computers.

A good free malware utility to use is Combofix, created by sUBs, sponsored on the bleepingcomputer.com website: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Wish you luck.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33448806
However, you can use one of the interfaces on the sonicwall to create an Internal "DMZ" without removing the firewall restrictions.  Create a new zone, assign it to a spare Interface on the sonicwall.  Connect the desired PC to it.  Then, configure the firewall access rules between the new zone > LAN and LAN > new zone.
0
 

Author Comment

by:microsymplex
ID: 33449149
@digitap, how do I configure the settings within the "new" inteface?
Zone   -      DMZ?
IP Assignment    -     Static?
IP Address    -      ????


In the past trying to configure the static IP, I've gotten overlap errors.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33449200
You can use the DMZ zone.  Create an internal IP address.  Something like 192.168.35.0/24 or 10.10.10.0/24.  Give the interface a static IP from one of those subnet ranges.

As an example, if we picked 192.168.30.0/24
Interface IP: 192.168.30.20
Mask: 255.255.255.0
Zone: DMZ

When you are done creating the Interface, the sonicwall will create a new DHCP scope for that interface.  Any device that connects to the interface will get an IP address from the sonicwall.  Also, go to Firewall > Access Rules.  Select DMZ > LAN.  There is probably a default rule to Deny any traffic to the LAN zone.  You can double check LAN > DMZ just to see what's there and create your own Deny rule if you want.  Then, Check WAN > DMZ and DMZ > WAN to make sure the respective rules are as you want.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33449209
What's the IP you've used on the LAN interface?  Whatever that is, use something incrementally larger.  If 192.168.29.0/24, then use 192.168.30.0.
0
 

Author Comment

by:microsymplex
ID: 33450129
I've tried using a different subnet, such as 192.168.230.x for the "untrusted" dmz, versus my normal internal IP of 192.168.1.x as seen below.

X2 - DMZ - 192.168.232.1 - 255.255.255.0 - Static - 100 Mbps full-duplex - Quarantined LAN ...

When thinking about it though, how does X2 know where to go to get to the WAN port in this argument...it doesn't, I think that's where I'm stuck.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 33450150
all the internal interfaces will use the default gateway of the sonicwall which is the IP of the WAN interface if it encounters a network it doesn't know how to route an ip network internally.  are you trying to resolve DNS on a DMZ host?  set a host as a static IP on the DMZ network.  set the DNS to 4.2.2.2.  this should allow you to resolve.  otherwise, it must be a DMZ > WAN or WAN > DMZ access rule.
0
 

Author Comment

by:microsymplex
ID: 33455982
Not really trying to resolve anything...I just want these computers in question in a quarantined mini-network, to have access to the internet and not my local LAN resources. I wonder if I should have to enable the onboard DHCP server for my DMZ LAN subnet?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33456455
you can if you want.  the sonicwall will create a scope for you automatically.
0
 

Author Comment

by:microsymplex
ID: 33456751
Thanks digitap, that pointed me in the right direction. Once I enabled the onboard DHCP server on the Sonicwall for my quarantined interface's subnet, i connected right up with the correct IP, and am unable to talk to any of my "trusted" resources. If it helps anyone else, here's a few screenshots of my Sonciwall Config...(TZ210W)


dmz1.jpg
dmz2.jpg
0
 

Author Closing Comment

by:microsymplex
ID: 33456763
Thanks digitap, that pointed me in the right direction and cleared up my thought process.

Cheers!
0
 
LVL 33

Expert Comment

by:digitap
ID: 33456884
you're welcome...thanks for the points!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now