Why?

Dosen't that make your servers hackable? I don't get it... I am setting up a network.

What type of servers would be best fitting for a DMZ (orange interface) setup?

How much of a security risk is it?

Why do people do a DMZ?

What kind of network needs a DMZ?

Someone please debrief me on the security of DMZ?


Thank you in advance.

The concept of the DMZ is to separate publicly accessible machines (servers) from the internal network. The machines inside the DMZ have their own firewalls and protection.

The theory is, that if anyone breaks into your server, they will still be constrained in the confines of the DMZ, and not be able to access the client machines inside the LAN. This also allows the setup of different rules and policies for connections to and from the Internet by both client and server machines, independently.

For example, you could allow UDP to the DMZ for the servers to use, but block UDP from the clients.

The whole idea of setting up a DMZ is to implement different policies for different servers.

Not neccessarily like you have been thinking. Yes, its open to public but that doesnot means it doesn't have protections like firewalls and such..

Think of it this way, if you didn't maintained a DMZ, your network firewall will have the rules to accept any incoming connection to your publicly accessible server. On the other hand this server may have unlimited access to your internal lan servers and machines. now if the pa server was compromised, your other machines inside the LAN would be pretty much risk being compromised. On the other hand, if you separate your pa and internal LAN with DMZ and restrict pa's from DMZ from accessing your LAN, even if ithe pa's are compromised, it would be a harder try to get inside your LAN.

for the same reason described above.

DMZ are usually setup for networks that has some servers that should be made publicly available like web servers etc.

the above is true AFAIK, maybe i am missing some facts, i am sure you can find them out yourself with a little more try.

I get it now!!

So on my 4 NIC IPCop router, I take the DMZ computers and put some sort of security system between them!

Okay, I see!

here's a wikipedia entry that you might find useful:

http://en.wikipedia.org/wiki/Demilit...28computing%29

if possible, it's also smart to have host-based firewalls running on each server in the DMZ... this adds a layer of protection between the servers themselves (which the dedicated firewall can't do without additional zones) in case of a crack, or a worm infection or something like that...

another recommended thing to do, if possible, is have your DMZ configured so that it can't *initiate* any connections to the WAN/Internet (not just the LAN)... of course if you need a box on the DMZ to be able to, for example, send mail or something, you could add a rule allowing that particular box to do that... but generally speaking, you wanna keep things as tight as possible...

just my ...

All I need is a VPN at the moment. I will enable VNC ports and a couple of others that will allow for a successful forwarding of the information.

Cool... I do have plans to setup an FTP for public usage, an email server once our parent company chops us off of their email system, a dynamic domain name server so that I can have a very "dynamic" hompage, and a host of other cool things as well.

I eve plan to operate my camera system on the DMZ so that I can watch my employees from home.

My plan guys is to be able to work from home and be with my kids. I will do anything in the world for that. I created a now successful business... Instead of working for it, I want it to work for me! I recently purchased $300,000 worth of shares, and that makes me the sole owner and president of this company. I am no longer incorporated... I am now full shareholder, and all the profit belongs to me now.

Follow up post:

Basically, I am doing a CAD drawing of my network, down to EACH cable. This is so I can do a proper iptable and keep it consistant across the board. I will make it managable via SNMPv3, and that will make life for me just a little bit better (it allows me to see all the activity in/out done by my employees)

My question is:
For the DMZ Host setup. IPCop will be granted the IP # 10.25.5.0, and that is the first computer my AdTran T1 modem touches. From there it will be orange as DMZ host... Do I set it to demilitarize the IP # of my firewall that protect my servers. The firewall's IP# that comes off of the orange NIC is 10.25.10.0, and it is what protects my valuable information... Do I set the DMZ Host to direct at that IP #?