functioning of their operation. With the installation of some equip-
ment and some time to configure, a VPN, in combination with a
solid firewall and a DMS, will increase productivity and profit—for
less than the cost of a new car.
5.4 Setting up a demilitarized zone: A VPN
alternative?
Not really alternative in terms of the technology, but a so-called
philosophical diametric to a VPN can be a demilitarized zone
(DMZ). Philosophically, the purpose of both a DMZ and a VPN is
to protect business data and resources from unauthorized access and
grant access to allowed functions to outside users. A DMZ, unlike a
VPN, is an area that is like a bastion between the internal network,
the firewall device, and the Internet. Historically, DMZs were cre-
ated through the layering of firewall devices. However, with
improvements in electronics and firmware, setting up a DMZ can be
as easy as plugging a Category 5 (CAT5) Ethernet cable into an
Ethernet port labeled “DMZ” on the firewall. Figure 5.2 is a repre-
sentation of a typical firewall/DMZ arrangement. Depending on
configuration, interestingly, a VPN may even be used to connect to
a DMZ.
5.4.1 Uses
A DMZ is a good place to put machines that need to be accessed via
the external Internet when placing them in the internal network is
too risky. This may be because the ports that need to be opened for
certain types of functions (such as web and file serving) are more
vulnerable, are hacker magnets, and should a single machine on the
internal network be compromised, it is a hacking waterfall, and
every other machine will be at risk or compromised in short order.
Things such as FTP servers, file servers, web servers, and mail servers
are often placed in a DMZ.
5.4.2 Theory of operation
In its simplest terms, a DMZ is a separate network that sits between
two “firewalls.” It takes two devices to make a firewall because it is,
definitively, the more vulnerable of two networks sitting side by side.
100 5.4 Setting up a demilitarized zone: A VPN alternative?
5.4 Setting up a demilitarized zone: A VPN alternative? 101
Chapter 5
Internet
Internet Router
DMZ AREA
Firewall
WAN
WAN
LAN
LAN
Internal LAN
10.0.0.x
192.168.0.x
Figure 5.2
Simple demili-
tarized zone
configuration.
A good clear definition of a DMZ is as follows:
The first of two networks, in series, with the first
network separated from the Internet by a firewall or a
router and the second network separated from the first
by a firewall. Each network consists of a different
subnet.
Typically, most modern firewalls have a DMZ setup in which the
firewall can control and create the DMZ. There are still two devices
at work here; in the case of a firewall with DMZ capabilities, the
second device is simply built into the firewall appliance, and the
firewall becomes a bidirectional bastion server. Many administrators
take the approach of simply cordoning off an area between the
modem/router and the firewall; the DMZ is then a separate subnet
that sits between the modem/router and the firewall. Figure 5.2
is configured in this manner. Configuration of port forwarding
is accomplished at the router, and this can be accomplished in a
number of ways, many of which are manufacturer specific. For
example, some SpeedStream models allow configuration of a
DMZ on port 1 of the router network interface ports. It may require
technical assistance from the manufacturer, but here is the target
checklist:
Router WAN: same as the external IP address.
Router LAN IP: same as the DMZ subnet.
DMZ has subnet of 10.0.0.xx or 172.[16-31].x.x or 192.168.x.x:
These subnet addresses are private set-asides. They do not exist in
the public domain.
DMZ computer gateways: same as the router LAN IP address.
Firewall WAN is set to an address on the DMZ, with its gateway
set to the router LAN as well.
Network Address Translation (NAT) on the router is enabled in
this configuration. Configuring a DMZ with NAT turned off may
be considerably trickier to accomplish and may involve setting up
pinholes.
102 5.4 Setting up a demilitarized zone: A VPN alternative?

Get Firewalls now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.