What is DMZ

DMZ - Demilitarized Zone

The idea of ​​a demilitarized zone (DMZ) is that connections from the Internet to the DMZ are possible because there, for example, a server must be accessible for external communication. However, a connection from the Internet to the LAN should be prevented.

Real DMZ with a two-router solution

The demilitarized zone is an independent subnet that separates the local network (LAN) from the Internet by firewall routers (A and B). The firewall router A is configured in such a way that it discards data packets for which there were no outgoing data packets. No destinations in the LAN can be addressed from the Internet or the DMZ because these are rejected by the firewall router B. Should a hacker gain access to the server within the DMZ and want to send data packets into the LAN for snooping or hacking, these will be discarded by firewall router B.
This procedure has the advantage that it keeps the data traffic coming from the Internet away from the LAN and therefore only the internal data traffic and the Internet connections take place in the LAN. The LAN is then less prone to attacks and congestion caused by data traffic from the Internet.
One disadvantage is the configuration effort. Static routes must be configured in both firewall routers so that the incoming data packets of the connections can be delivered to the correct hosts in the LAN.

DMZ with a three-port router solution

An alternative to the two-router solution is the three-port router. One WAN side and two LAN ports are configured in this router. One LAN port is charged and represents the actual LAN port. The second LAN port is configured as a DMZ. Behind this is the part of the local network that should be accessible from the outside.

DMZ with exposed host (DMZ host)

The configuration effort for a DMZ can be significant. An alternative can be a special DMZ host in the LAN. In many simple routers this is called a DMZ. However, it is not a real demilitarized zone, but an "exposed host" that receives all incoming data packets for which no outgoing connection is known.

The configuration provides for a standard receiver in the router. There are two approaches to this. The good solution only forwards all packets to the DMZ host (exposed host) if a fixed NAT specification (port forwarding or DNAT) is configured. If not, the data packet is discarded.

The bad solution forwards all externally initiated connections to the DMZ host. This can flood the DMZ host with data packets and provoke a failure or even intrusion into the relevant system.

Zero Trust

Zero Trust is a security concept in which all network traffic, regardless of its origin, is generally mistrusted. Part of the concept is that every access is subject to access control and every connection is subject to encryption.

Other related topics:

share

Product recommendations

Everything you need to know about networks.

Network technology primer

The network technology primer is a book about the basics of network technology, transmission technology, TCP / IP, services, applications and network security.

I want that!

Everything you need to know about networks.

Network technology primer

The network technology primer is a book about the basics of network technology, transmission technology, TCP / IP, services, applications and network security.

I want that!