What does “DMZ” stand for? DMZ means Demilitarized Zone, but that actually means different things in different realms.
In the real world, a DMZ is a strip of land that serves as a point of demarcation between North and South Korea. But when it comes to technology, DMZ is a logically separated subnetwork that typically contains a network’s externally hosted, internet-facing services. So what exactly is a DMZ’s purpose? How does it protect you? And can you set one up on your router?
What Is the Purpose of a DMZ?
DMZ acts as a shield between the unreliable internet and your internal network.
By isolating the most vulnerable, user-facing services such as email, web, and DNS servers inside their own logical subnetwork, the rest of the internal network or Local Area Network (LAN) can be protected in case of a compromise.
Hosts inside a DMZ have limited connectivity to the main internal network as they are placed behind an intervening firewall that controls the traffic flow between the two network points. However, some communication is allowed so the DMZ hosts can offer services to both the internal and external network.
The main premise behind a DMZ is to keep it accessible from the internet while leaving the rest of the internal LAN intact and inaccessible to the outside world. This added layer of security prevents threat actors from directly infiltrating your network.
What Services Are Added Inside a DMZ?
The easiest way to understand a DMZ configuration is to think of a router. Routers generally have two interfaces:
- Internal Interface: This is your non-internet-facing interface that has your private hosts.
- External Interface: This is the internet-facing interface that has your uplink and interaction with the outside world.
To implement a DMZ network, you simply add a third interface known as the DMZ. Any hosts that are accessible directly from the internet or require regular communication to the outside world are then connected through the DMZ interface.
The standard services that can be placed inside a DMZ include email servers, FTP servers, Web servers, and VOIP servers, etc.
Careful consideration should be given to the general computer security policy of your organization and a resource analysis should be conducted before migrating services to a DMZ.
Can DMZ Be Implemented on a Home or Wireless Network?
You might have noticed that most home routers mention the DMZ Host. In the true sense of the word, this is not a real DMZ. The reason being that a DMZ on a home network is simply a host on the internal network that has all ports exposed beside the ones that are not forwarded.
Most network experts caution against configuring a DMZ host for a home network. This is because the DMZ host is that point between the internal and external networks which is not granted the same firewall privileges that other devices on the internal network enjoy.
Also, a home-based DMZ host still maintains the ability to connect to all hosts on the internal network which is not the case for commercial DMZ configurations where those connections are made through separating firewalls.
A DMZ host on an internal network can provide a false sense of security when in reality it is just being used as a method of straight forwarding ports to another firewall or NAT device.
Configuring a DMZ for a home network is only necessary if certain applications require persistent access to the internet. Though this can be achieved through port forwarding or creating virtual servers, sometimes tackling the high amount of port numbers makes it unpractical. In such cases, setting up a DMZ host is a logical solution.
The Single and Dual Firewall Model of a DMZ
DMZ setups can be made in different ways. The two most commonly used methods are known as the three-legged (single firewall) network, and a network with dual firewalls.
Depending on your requirements, you can opt for either of these architectures.
Three-Legged or Single Firewall Method
This model carries three interfaces. The first interface is the external network from the ISP to the firewall, the second is your internal network, and lastly, the third interface is the DMZ network which contains various servers.
The disadvantage of this setup is that using one and only firewall is the single point of failure for the entire network. If the firewall gets compromised, the entire DMZ will go down as well. Also, the firewall should be able to handle all incoming and outgoing traffic for both the DMZ and the internal network.
Dual Firewall Method
As the name implies, two firewalls are used to architect this setup, making it the more secure of the two methods. A front-end firewall is configured that allows traffic to pass to and from the DMZ only. The second or back-end firewall is configured to then pass traffic from the DMZ to the internal network.
Having an extra firewall slims down the chances of the entire network getting affected in case of a compromise.
This naturally comes with a higher price tag but does provide redundancy in case the active firewall fails. Some organizations also ensure that both firewalls are made by different vendors to create more obstructions for attackers looking to hack a network.
How To Set up a DMZ on Your Home Router
The easiest and quickest way of setting up a home-based DMZ network is by using the three-legged model. Each interface will be assigned as an internal network, DMZ network, and external network. Lastly, a four-port Ethernet card in the firewall will complete this setup.
The following steps will outline how to set up a DMZ on a home router. Note that these steps will be similar for most major routers like Linksys, Netgear, Belkin, and D-Link:
- Connect your computer to the router via the Ethernet cable.
- Go to your computer’s web browser and type in the IP address of your router in the address toolbar. Typically, a router’s address is 192.168.1.1. Hit the “Enter” or return key.
- You will see a request for inputting the administrator password. Enter your password that you created at the time of setting the router. The default password on many routers is “admin”.
- Select the “Security” tab located at the top upper corner of your router’s web interface.
- Scroll to the bottom and select the drop-down box that is labeled “DMZ”. Now choose the enable menu option.
- Enter the IP address for the destination computer host. This can be anything like a remote desktop computer, web server, or any device that needs to access the internet. Note: the IP address where you are forwarding the network traffic should be a static one as a dynamically assigned IP address will change every time your computer is restarted.
- Select Save Settings and close the router console.
Safeguard Your Data and Configure a DMZ
Smart consumers always secure their routers and networks from intruders before accessing external networks. A DMZ can bring an added layer of security between your precious data and potential hackers.
At the very least, using a DMZ and utilizing simple tips to secure your routers can make it very hard for threat actors to penetrate your network. And the harder it is for attackers to reach your data, the better it is for you!