Firewall Dmz A Secure Way To Provide Public Resources

By Author: Ki Grinsing
Total Articles: 82
Comment this article

Providing public resources such as Web servers which are located inside the private network is prone to any types of internet threats. This is because we allow inbound internet traffic reaching into our private network. A secure way to provide public resources is by establishing a security boundary - the firewall DMZ.

Connecting our private network to the un-trusted network (aka the internet), we should control the flow of the traffic in a secured manner by using a firewall device. With firewall, all the traffic are forced to pass through a single concentrated checkpoint where all traffic will be controlled, authenticated, filtered, and logged according to the policies set. With this way, we can significantly reduce, but not eliminate the amount of unauthorized traffic reaching our internal network.

What should we do if we need to provide the public resources such as Web-servers that can be accessed by users from the internet in a secured way? Internet users can access the public resources but they cannot reach into our private or internal corporate networks. We need to configure our firewall by providing the ...
... perimeter network - a Firewall with DMZ (Demilitarized Zones).

Firewall DMZ - Demilitarized Zone is a security network at the boundary between a corporate / private Local area network (LAN) and the internet. A firewall DMZ must be used whenever you need to provide a segmentation of the network when you need to host public resources such as Web servers. The perimeter network is designed to protect servers on the corporate network from attack by malicious users on the Internet.

If the requirements to use multiple network segments exist, you can deploy multiple DMZ with differing security policies (levels). For example when you need to deploy a secured web server with SQL server on different machine, you need to provide segmentations to both Web -server and the SQL server. Web-server should be placed in DMZ1 while SQL server should be placed on different segment - DMZ2.

We should create policies in such a way that the traffic from the internet users can only access the Web server which sits in DMZ1 network. They cannot access the SQL server which sits in DMZ2 network. However, both Web server in DMZ1 and SQL server in DMZ2 can access each other. As a general practice you should separate the SQL server from the Web server. You need to develop policies that meet the above security requirements and implement them in the firewall.

Implementation

The firewall DMZ can be implemented at the border of the corporate LAN which typically has three network interfaces:
1. The internet interface: the interface is exposed to the internet (the unsecured public network)
2. The private or Intranet interface: the interface is connected to the corporate LAN network where you put your vulnerable servers.
3. The DMZ network: the DMZ interface resides in the same public network that can be easily accessed by public users from the internet. The public resources which typically reside in the firewall DMZ are proxy servers, and web servers.

Home Wireless Router with DMZ Feature

There are many popular home wireless routers such as WRT610N by Linksys, DIR-855 D-Link router which are equipped with the firewall DMZ feature available in the market today. With the DMZ feature, you can configure a single computer to be exposed to the internet for use of a special-purpose service such as Internet gaming or video conferencing. DMZ hosting forwards all the ports at the same time to one PC.

Beside the DMZ feature, the Port Forwarding feature is more secure because it only opens the ports you want to have opened, while DMZ hosting opens all the ports of one computer, exposing the computer to the Internet.

For example with WRT610N wireless router, you can expose one PC or game console for Online Gaming purposes. You can configure the router by accessing the router web-based utility and locate the Application - DMZ page to configure and enable the DMZ feature. DMZ feature is disabled by default. Enable the DMZ feature and select the IP address or manually enter a specific IP address of the computer from the Internet that will be allowed to access the PC in the network. You should also enter the IP / MAC address of the PC / Game console you want it to be accessed from the internet.

By Ki Grinsing

Ki Grinsing was graduated from ITS Technical college Surabaya with the additions of MCSE and CCNA certifications. He has long years of working experiences in IT. For complete article, please visit: Firewall DMZ and WAN technologies