Question

  • Creator
    Topic
  • #2228709

    DMZ

    Locked

    by csameta ·

    what is the primary function of the DMZ port on a firewall and who can access the DMZ?

All Answers

  • Author
    Replies
    • #2471660

      Clarifications

      by csameta ·

      In reply to DMZ

      Clarifications

    • #2471561

      DMZ…

      by scott_heath ·

      In reply to DMZ

      It allows a system to be outside of your firewall. It is then accessible by anyone who wants to get to it. Is this a home network? Wha kind of router is it?

    • #2471556

      Check wiki for answer

      by tg2 ·

      In reply to DMZ

      http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

      Check out wiki for the answer, very good, concise explanation.

      Pay particular attention to the “DMZ host” paragraph, and know the following:

      With a SOHO router, having a DMZ ip address setup, means that any traffic that was not initiated by the router going out to the internet, is directed at the DMZ Ip (unprotected).

      SOHO Firewall/routers work by getting a piece of traffic from your machine. The fw then nat’s the external ip address, and adds a source port to send the traffic out with.

      The fw/rtr sends the traffic out to the internet as being from a specified port number, so that when a machine on the internet responds, that machine responds to the external IP address, *and* to the port that was sending.

      The traffic comes into the router/firewall, it sees the destination port, looks this up in its nat table and then re-writes the packet to the internal IP address that originally sent the packet.

      With a DMZ setting on a SOHO firewall, any traffic inbound, to any port that is not currently listed inside the router/firewall as something **it** sent, will by default go to the address you list as the DMZ machine, meaning that DMZ machine is unprotected. As it would be unprotected, it would be the machine that could then attack the other machines in your network, should someone compromise it (hence why you would need a good software firewall on that DMZ host / machine).

      Only if there is a seperate DMZ port, and you have instructions (the manual) that say the DMZ machine can not reach the rest of your network, should you consider using the DMZ setting without a firewall to protect other machines in your network.

Viewing 2 reply threads