Any absolute MUST reason for a DMZ?

Discussion in 'Computer Security' started by Rock, May 19, 2005.

  1. Rock

    Rock Guest

    Is there any absolute *must have it* reason for a DMZ?

    Would the judicious use of port-forwarding be an alternative? As long
    as I know each app's port, I think I could use the router to block
    unwanted ports.

    Maybe the only reason is the router won't tell me if there's a DOS
    attack going on. And looking at the logs, I think the log filtering
    is "natto-so-good-o". (you need some Japanese to get that one).

    But I can't think of another reason. Any others?

    Rock
     
    Rock, May 19, 2005
    #1
    1. Advertising

  2. Rock wrote:

    > Is there any absolute *must have it* reason for a DMZ?
    >
    > Would the judicious use of port-forwarding be an alternative? As long
    > as I know each app's port, I think I could use the router to block
    > unwanted ports.
    >
    > Maybe the only reason is the router won't tell me if there's a DOS
    > attack going on. And looking at the logs, I think the log filtering
    > is "natto-so-good-o". (you need some Japanese to get that one).
    >
    > But I can't think of another reason. Any others?
    >
    > Rock


    For home use I think port forwarding is fine. Understand you can not have
    redundant servers with this setup (port forwarding + NAT) as long as that
    is not an issue it should be fine.

    DMZ type setups are more for a medium and large network designs....for home
    use, port forwarding should be fine.

    Michael
    --
    "Trusted Computing" is a SCAM
    http://www.gnu.org/philosophy/can-you-trust.html

    Protect your rights
    http://www.eff.org/Infrastructure/trusted_computing/20031001_tc.php
    http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
     
    Michael Pelletier, May 19, 2005
    #2
    1. Advertising

  3. Rock

    test Guest

    Rock wrote:

    > Is there any absolute *must have it* reason for a DMZ?
    >
    > Would the judicious use of port-forwarding be an alternative? As long
    > as I know each app's port, I think I could use the router to block
    > unwanted ports.
    >
    > Maybe the only reason is the router won't tell me if there's a DOS
    > attack going on. And looking at the logs, I think the log filtering
    > is "natto-so-good-o". (you need some Japanese to get that one).
    >
    > But I can't think of another reason. Any others?
    >
    > Rock


    Depends. For some apps, they have to have the ability to connect on various
    ports so a normal router/nat setup wont do it. For example, freenet
    although it's supposed to only accept connections on the specified port,
    will not work with only that port forwarded. This is because after
    accepting the connection, it assigns an actual port to the connection in
    order to keep track of that connection. Many applications function the same
    way and have to be examined on an individual basis to determine a
    sufficient number of ports to allow it to use. Otherwise the router will
    automatically drop/block connection attempts since they aren't being
    forwarded.
     
    test, May 20, 2005
    #3
  4. Rock

    Leythos Guest

    In article <>, rock1
    @hotmail.com says...
    > Is there any absolute *must have it* reason for a DMZ?
    >
    > Would the judicious use of port-forwarding be an alternative? As long
    > as I know each app's port, I think I could use the router to block
    > unwanted ports.
    >
    > Maybe the only reason is the router won't tell me if there's a DOS
    > attack going on. And looking at the logs, I think the log filtering
    > is "natto-so-good-o". (you need some Japanese to get that one).
    >
    > But I can't think of another reason. Any others?


    The reason to have a LAN and a DMZ network is to block access from one
    side to the other. If you put a web server in the DMZ, and don't provide
    DMZ to LAN access, if the Web server gets compromised it can't get to
    the LAN to compromise the other computers.

    If you use Port Forwarding you only have one network, so, if a system is
    compromised and it has any accounts with the same user/password, that
    machine can compromise the others easily - not to mention that if there
    are unpatched exploits, the compromised machine can compromise the
    others without a user/password.

    Anything that provides public services should be on a DMZ.

    If you want to create a DMZ you can this with two NAT routers:

    INTERNET CONNECTION
    ||
    DMZ - ROUTER 1 (192.168.8.0/24)
    ||
    LAN - ROUTER 2 (192.168.16.0/24)

    The WAN port on Router 2 gets a fixed IP from the LAN of Router 1.
    Router 2 has no port forwarding.

    Router 1 has your DMZ network and all the port forwarding you want.
    Router 1 has no means to get into the LAN on ROUTER 2.


    --
    --

    (Remove 999 to reply to me)
     
    Leythos, Jun 4, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnC
    Replies:
    9
    Views:
    872
    Walter Roberson
    Dec 7, 2004
  2. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,909
    Walter Roberson
    Sep 25, 2005
  3. Networking Student
    Replies:
    4
    Views:
    1,367
    vreyesii
    Nov 16, 2006
  4. morten
    Replies:
    4
    Views:
    1,240
    Tilman Schmidt
    Sep 4, 2007
  5. Giuen
    Replies:
    0
    Views:
    1,067
    Giuen
    Sep 12, 2008
Loading...

Share This Page