15.4. Using a DMZ

In the real world, the term demilitarized zone (DMZ) refers to an area with no military presence — typically one that stands between two territories that were previously at war. It's a buffer zone designed to keep both sides out of trouble. In its metaphorical networking sense, a DMZ is a portion of a network that stands between the safe and comfy local network and the big, scary public network. Outside users can easily access computers in your DMZ but are prevented from going beyond it to reach the rest of your network; incoming network access from the DMZ is blocked. Meanwhile, other computers on your network can access machines in the DMZ or on the outside with equal ease. Another way to describe a DMZ is to say that it's a portion of your network outside the firewall (or between the NAT router and the gateway).

If you must run publicly accessible servers of one kind or another on your network, using a DMZ is a good way to make sure the rest of your computers are afforded the protection of a firewall or NAT router. Putting such servers behind the firewall would require more effort (carefully fine-tuning and monitoring the firewall such that it allows legitimate users while blocking hacking attempts) and still result in lower security. Web servers, FTP servers, and local proxy servers (described ahead in this chapter) are examples of computers that might fit well in a DMZ. Whereas port forwarding essentially punches holes through a NAT configuration for traffic ...

Get Mac® Security Bible now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.