Scribd
Upload
1 views

DMZ

Uploaded by

Arixson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
1 views

DMZ

Uploaded by

Arixson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

DMZ

OK now what I have in front of me is a fairly typical network setup.

This is my internal network and there's lots of switches and there's lots of
computers and printers and scanners and all kinds of stuff here.

I am too lazy to show you all that so I'm just using a little half circle to
represent that.

These guys are all connected to one in this particular example a gateway router and
this router is also a firewall in this situation.

And he goes out and is connected to the Internet.

This is not an uncommon setup that you'll see with a lot of networks out there now.

But I want to do something different this time.

What I want to do is I want to set up a minecraft server and I want to set up a web
server I want to have a Web site and I want to run all this myself.

Now to do that I need to do this in such a way that I can expose my mind craft
server and my web server to the public Internet.

But at the same time protect my internal network.

Any time you have some number of computers that are exposed to the public Internet
that are separate from your private network we call that a DMZ or demilitarized
zone.

Now DMZ can manifest and a lot of different ways but I'm going to just give you a
couple of quick examples here.

So in this case here are my two servers.

Here's my web server and here's my minecraft server this is a switch that they're
connected to.

So one way I could potentially do this.

Remember this guy is also a router is I can set him up like this so that he's a
stateful firewall in here.

And any unsolicited stuff coming from the Internet is going to be blocked from my
private network but it'll be all redirected up to the this part of the network.

Now this can be a separate network ID.

It usually is.

And this being a router and a firewall we can set up an ACL that allowed to do
exactly that.

Now keep in mind when I say these are exposed to the public Internet I'm not saying
they're just wide open.

We do have some firewall features in here.


So this guy will be able to monitor for hacking type situations things like that
but he does allow everybody to still work on my internal network.

So this is one potential way to do this.

But there's other ways to do it.

For example if I wanted to do their job you to play with blocks so much.

Now it's complicated.

So what we have here is a firewall set up where we have two firewalls with a DMZ in
the middle.

So what's taking place here is we have exposed to the Internet that we have our own
network ID in here and then a separate network ID out here.

In this case everything that's coming from my internal network has to go through
both routers and these are both firewalls too.

So it goes through both of the firewalls.

This firewall right here is completely exposed to the real Internet so we call him
a basti and host because any time where he's there's no protection on here.

He's the bast he knows he's the most hardened firewall that we have set up in our
network.

This guy's job is to protect the internal network like a normal firewall would.

So this is another potential setup for a DMZ.

Now if you have a little home Soho router a lot of times you'll see those little
setting there it says DMZ.

That's I mean technically it is a DMZ but it's a really awful DMZ because those
little home routers what they're saying is you pick one IP address and anything
that comes unsolicited from the Internet goes straight to that one device.

So technically it is a DMZ but it's a really really terrible DMZ and not something
that you'd want to use.

All right so we've got a DMZ set up that looks something like this.

Now I really want to protect these two servers here and what I want to do is watch
for bad guys and be able to track stuff.

So one of the interesting things we could do if we went to is we can add another


device in here and this device we can use the firewall or something and set it up
in such a way that this device isn't is isn't really as protected as our real
stuff.

And here we actually install software that's designed to emulate for example a web
server.

But the idea here is that we want bad guys to attack this guy.

So we call this fella a honeypot, honeypots are used for research honeypots are
used to if a bad guy gets through here.
We want to get him here first so we can stop potential attacks.

And there are powerful tools that we use honeypots all the time.

The next step from a honeypot is actually called a honeynet and tired of blocks
that I could actually put another whole network on here.

That's a little bit easier to get through than my main network and it does the same
job it's designed to monitor and capture bad guys and we would call that a honey
net.

So keep in mind there's a lot of ways to DMZ make sure you're comfortable with the
ones I've shown.

A DMZ is an area of network that hosts public-facing servers

Servers in the DMZ are still protected by a firewall

A bastion host is any machine directly exposed to the public internet

You might also like