Firewall DMZ a Secure Way to Provide Public Resources by hkksew3563rd


									?Providing public resources such as Web servers which are located inside the private
network is prone to any types of internet threats. This is because we allow inbound
internet traffic reaching into our private network. A secure way to provide public
resources is by establishing a security boundary - the firewall DMZ.

Connecting our private network to the un-trusted network (aka the internet), we
should control the flow of the traffic in a secured manner by using a firewall device.
With firewall, all the traffic are forced to pass through a single concentrated
checkpoint where all traffic will be controlled, authenticated, filtered, and logged
according to the policies set. With this way, we can significantly reduce, but not
eliminate the amount of unauthorized traffic reaching our internal network.

What should we do if we need to provide the public resources such as Web-servers
that can be accessed by users from the internet in a secured way? Internet users can
access the public resources but they cannot reach into our private or internal corporate
networks. We need to configure our firewall by providing the perimeter network - a
Firewall with DMZ (Demilitarized Zones).

Firewall DMZ - Demilitarized Zone is a security network at the boundary between a
corporate / private Local area network (LAN) and the internet. A firewall DMZ must
be used whenever you need to provide a segmentation of the network when you need
to host public resources such as Web servers. The perimeter network is designed to
protect servers on the corporate network from attack by malicious users on the

If the requirements to use multiple network segments exist, you can deploy multiple
DMZ with differing security policies (levels). For example when you need to deploy a
secured web server with SQL server on different machine, you need to provide
segmentations to both Web -server and the SQL server. Web-server should be placed
in DMZ1 while SQL server should be placed on different segment - DMZ2.

We should create policies in such a way that the traffic from the internet users can
only access the Web server which sits in DMZ1 network. They cannot access the SQL
server which sits in DMZ2 network. However, both Web server in DMZ1 and SQL
server in DMZ2 can access each other. As a general practice you should separate the
SQL server from the Web server. You need to develop policies that meet the above
security requirements and implement them in the firewall.


The firewall DMZ can be implemented at the border of the corporate LAN which
typically has three network interfaces:
1. The internet interface: the interface is exposed to the internet (the unsecured public
2. The private or Intranet interface: the interface is connected to the corporate LAN
network where you put your vulnerable servers.
3. The DMZ network: the DMZ interface resides in the same public network that can
be easily accessed by public users from the internet. The public resources which
typically reside in the firewall DMZ are proxy servers, and web servers.

Home Wireless Router with DMZ Feature

There are many popular home wireless routers such as WRT610N by Linksys,
DIR-855 D-Link router which are equipped with the firewall DMZ feature available
in the market today. With the DMZ feature, you can configure a single computer to be
exposed to the internet for use of a special-purpose service such as Internet gaming or
video conferencing. DMZ hosting forwards all the ports at the same time to one PC.

Beside the DMZ feature, the Port Forwarding feature is more secure because it only
opens the ports you want to have opened, while DMZ hosting opens all the ports of
one computer, exposing the computer to the Internet.

For example with WRT610N wireless router, you can expose one PC or game console
for Online Gaming purposes. You can configure the router by accessing the router
web-based utility and locate the Application - DMZ page to configure and enable the
DMZ feature. DMZ feature is disabled by default. Enable the DMZ feature and select
the IP address or manually enter a specific IP address of the computer from the
Internet that will be allowed to access the PC in the network. You should also enter
the IP / MAC address of the PC / Game console you want it to be accessed from the

By Ki Grinsing

Ki Grinsing was graduated from ITS Technical college with the additions of MCSE
and CCNA certifications. He has long years of working experiences in IT. For
complete article, please visit: Firewall DMZ and WAN technologies

To top