Ok, the term 'DMZ' gets thrown around pretty lightly at times so I am going to do my best to explain the basics and clear up some misconceptions.
First of all, the name comes from the word(s) (demilitarized zone) for a hostile border between two countries (eg north and south Korea) and in the computer world is a separate network that is more trusted than the Internet but less trusted than the internal LAN. In short, it is a buffer zone that separates the Internet and your private LAN. (Note: Microsoft calls this a 'Screened Subnet') Many SOHO router vendors have taken to using the term 'DMZ' as a way to sell their products. In fact, those products are simply bypassing their filters and NAT protection when they set up a 'DMZ' and forwarding all traffic to a 'default host'. This should not be confused with a true DMZ. One way to create a DMZ is with a machine that has three NICs in it - one for the WAN connection, one for the DMZ network, and one for the internal network. This is one method of creating a DMZ, but it is not the preferred method. This configuration allows the security of all three networks to lie in one system. If your machine that has all three of those NICs in it is compromised, so is your DMZ and your private network. Basically, you are allowing the Internet to 'touch' the very same machine that determines how secure your internal LAN is, and this is not a good thing. A better way to do this is with three separate networks. The way this is accomplished is with two 'firewall' devices - one on the border of your WAN, and one on the border of your internal network. Let us say that you have a broadband router and a Checkpoint firewall. You would put your router on your border (right behind your modem), and you connect the LAN side of that router to a hub or switch. To that hub or switch (your DMZ hub/switch) you use one of the ports to connect your bastion host/public server. This is the machine that is running the service that you want people to be able to connect to from the outside. This may be a website, an FTP server, or a multiplayer game like WCIII or Counterstrike. You want this machine to be hardened to some degree, meaning that it is all the way patched and is not running anything that is vulnerable (although the border device affords it some protection via NAT). As a general rule though, you want anything put in the DMZ to be resistant to attacks from the Internet since public access is the reason that you are putting it out there in the first place. Now, to that same switch you are going to attach another network cable that goes to your Checkpoint firewall. Your firewall (this is going to be the better of the two firewalls that you have, so if you have a Checkpoint and a Netgear you should use the Netgear on the border and the Checkpoint box on this one) is going to have two NICs in it - one for the DMZ side and one for the private LAN side. Connect the cable to the DMZ side of the internal firewall, and on the other side of the firewall (the private LAN side) you connect a cable to another hub/switch that all of your LAN computers will connect to. If that was confusing, think of it this way: ------------ Internet to Modem Modem to Router Router to DMZ Hub/Switch DMZ Switch to WEB/FTP/Game Server ...and... DMZ Switch to Firewall External NIC Firewall Internal NIC to Internal Hub/Switch Internal Hub/Switch to Internal Systems ------------ What this does is allow you to completely segment your network in terms of trust. You can initiate connections to the DMZ and to the Internet, but neither of those two networks can initiate them to you. So unless you start a web or FTP session to your DMZ, no traffic from that network is allowed onto yours. The same goes for the Internet. This is accomplished via yet another layer of NAT and more importantly, SPI. Essentially, you are saying that you don't trust those two networks, and they are considered completely separate from your internal LAN. What does this get you? Why do it? Because if someone is able to compromise your web server (let's say it was IIS and it got rooted because it wasn't patched) they can't do much from the DMZ. You don't trust anything in it as far as you can throw it; so when they think that they just scored big by getting one machine so they can branch out to another, they are actually out of luck because they are on an un-trusted network that is outside of your real firewall. This is a DMZ. The power is further extended by the fact that you can use NAT on your border device to pass only the ports needed into your DMZ. So if you are only running a web server then you only pass TCP 80 to your DMZ machine running that daemon; all other connection requests are stopped dead at the border router/firewall. ------------ So, imagine someone is scanning you from the Internet when you have this configuration. They use whatever program and find port 80 open. Most amateur attackers would assume that you are running something on your public IP address, like you have your main browsing client sitting right on the Internet and it is running a web daemon. So, upon connecting to it and getting a web page, they then scurry to dig up their favorite http exploit tool that someone else wrote. What they don't know is that they are connecting to a private IP in your DMZ. It has no real IP address as far as the Internet is concerned. If you don't pass that port at the border router then they won't see anything at all when they scan you. Now, if they run a working exploit and get root on your web server they are going to jump for joy; the thing is, they have little to celebrate about. All they have is a barebones server that has very little on it. They get no vital info, no browsing history, no personal information at all. In fact, all you have on there is maybe your web or ftp directory which is safely backed up and saved on your internal network and/or on CD. So they ping around on your DMZ and find that there isn't anything there. (Your internal firewall doesn't even respond to ICMP and has no open ports, so they can't do much at all with it) If they are smart they will do an ifconfig or ipconfig and find out they are on a private subnet, but this gains them nothing. It is important to mention here that using a switch in the DMZ is preferable to a hub since a standard sniffer can be used to watch all traffic entering and exiting your WAN gateway. Normally, they could just use an ARP poisoning technique and sniff across the switch, but in this case they have no host to poison because your internal firewall won't pass the malicious ARP replies to the machines behind it. Anyway, from there the attacker will either leave or destroy the system, which is fine with you since you needed to redo that box anyway. Either way, you simply reinstall your DMZ machine and unzip your web or ftp info/data into the right place and BAM!, you've got a brand new DMZ system with no danger to your private network at any point during the process. Be sure to patch this time. :) danielrm26
