Setting Up a DMZ
I realize that a DMZ is used to protect internal systems and access is typically through an external, Public IP address. Can you tell me a few ways people use them, what types of applications? Why use a DMZ versus a NAT.
What steps would I take (top level) to do this?
What steps would I take (top level) to do this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No, you always have a firewall facing the wild. You just open the ports to one network (or individual server) which is then called demilitarized.
The most important concept around DMZ is network segmentation. Without it the DMZ solution is basic and it only addresses easier NATing (like the Linksys Hos DMZ functionality). In a truly protected architecture DMZ machines like web servers, email servers, FTP servers etc live in a subnetwork that accepts connections from the outside, while other machines like databases live ina spearate subnetwork. When a hacker manages to enter the DMZ they cannot easily hack the database server because only certain ports will be available. However this still does not mean the hacker cannot hack your data because he could potentially sniff packets going to the specific database port. Of course he will not be able to ssh or rdp into the database machine because those ports are simply closed by the firewall (same or an additional one)
Please read a recent post and answers: https://www.experts-exchange.com/questions/27094293/Linksys-WRT54G-router-dmz-connect-to-database.html?cid=1572&anchorAnswerId=35956022#a35956022
Also: http://en.wikipedia.org/wiki/DMZ_%28computing%29
The most important concept around DMZ is network segmentation. Without it the DMZ solution is basic and it only addresses easier NATing (like the Linksys Hos DMZ functionality). In a truly protected architecture DMZ machines like web servers, email servers, FTP servers etc live in a subnetwork that accepts connections from the outside, while other machines like databases live ina spearate subnetwork. When a hacker manages to enter the DMZ they cannot easily hack the database server because only certain ports will be available. However this still does not mean the hacker cannot hack your data because he could potentially sniff packets going to the specific database port. Of course he will not be able to ssh or rdp into the database machine because those ports are simply closed by the firewall (same or an additional one)
Please read a recent post and answers: https://www.experts-exchange.com/questions/27094293/Linksys-WRT54G-router-dmz-connect-to-database.html?cid=1572&anchorAnswerId=35956022#a35956022
Also: http://en.wikipedia.org/wiki/DMZ_%28computing%29
DMZ is set up to protect the LAN. DMZ can be configured up in several ways.
Have a read at http://en.wikipedia.org/wiki/DMZ_(computing)
Have a read at http://en.wikipedia.org/wiki/DMZ_(computing)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
lockreyt - thx.
I think I follow you on this but please clarify. The server in the DMZ would have a private / internal IP but the firewall would have the port open to pass though external requests to it? If this is so, as an example, a web server would have a public DNS record that points to the firewall which knows to pass it through the port to the DMZ?
I think I follow you on this but please clarify. The server in the DMZ would have a private / internal IP but the firewall would have the port open to pass though external requests to it? If this is so, as an example, a web server would have a public DNS record that points to the firewall which knows to pass it through the port to the DMZ?
Bingo ! Now you got it
Actually usually all ports go to DMZ
ASKER
Then how is this different from NATing? I could setup a web server with a Private IP on my internal network, publish it in external DNS and requests to it publicly could NAT at the firewall to just this server on the inside.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER