What is DMZ or Basics of DMZ ?

The term 'DMZ' gets thrown around pretty lightly at times so I am 
going to do my best to explain the basics and clear up some 
misconceptions. 

First of all, the name comes from the word(s) (demilitarized zone) for a 
hostile border between two countries (eg north and south Korea) and in 
the computer world is a separate network that is more trusted than the 
Internet but less trusted than the internal LAN. In short, it is a 
buffer zone that separates the Internet and your private LAN. (Note: 
Microsoft calls this a 'Screened Subnet') Many SOHO router vendors have 
taken to using the term 'DMZ' as a way to sell their products. In fact, 
those products are simply bypassing their filters and NAT protection 
when they set up a 'DMZ' and forwarding all traffic to a 'default host'. 
This should not be confused with a true DMZ. 

One way to create a DMZ is with a machine that has three NICs in it - 
one for the WAN connection, one for the DMZ network, and one for the 
internal network. This is one method of creating a DMZ, but it is not 
the preferred method. This configuration allows the security of all 
three networks to lie in one system. If your machine that has all three 
of those NICs in it is compromised, so is your DMZ and your private 
network. Basically, you are allowing the Internet to 'touch' the very 
same machine that determines how secure your internal LAN is, and this 
is not a good thing. 

A better way to do this is with three separate networks. The way this is 
accomplished is with two 'firewall' devices - one on the border of your 
WAN, and one on the border of your internal network. Let us say that you 
have a broadband router and a Checkpoint firewall. You would put your 
router on your border (right behind your modem), and you connect the LAN 
side of that router to a hub or switch. To that hub or switch (your DMZ 
hub/switch) you use one of the ports to connect your bastion host/public 
server. This is the machine that is running the service that you want 
people to be able to connect to from the outside. This may be a website, 
an FTP server, or a multiplayer game like WCIII or Counterstrike. You 
want this machine to be hardened to some degree, meaning that it is all 
the way patched and is not running anything that is vulnerable (although 
the border device affords it some protection via NAT). As a general rule 
though, you want anything put in the DMZ to be resistant to attacks from 
the Internet since public access is the reason that you are putting it 
out there in the first place. 

Now, to that same switch you are going to attach another network cable 
that goes to your Checkpoint firewall. Your firewall (this is going to 
be the better of the two firewalls that you have, so if you have a 
Checkpoint and a Netgear you should use the Netgear on the border and 
the Checkpoint box on this one) is going to have two NICs in it - one 
for the DMZ side and one for the private LAN side. Connect the cable to 
the DMZ side of the internal firewall, and on the other side of the 
firewall (the private LAN side) you connect a cable to another 
hub/switch that all of your LAN computers will connect to. 

If that was confusing, think of it this way: 

------------ 
Internet to Modem 
Modem to Router 
Router to DMZ Hub/Switch 
DMZ Switch to WEB/FTP/Game Server 
...and... 
DMZ Switch to Firewall External NIC 
Firewall Internal NIC to Internal Hub/Switch 
Internal Hub/Switch to Internal Systems 
------------ 

What this does is allow you to completely segment your network in terms 
of trust. You can initiate connections to the DMZ and to the Internet, 
but neither of those two networks can initiate them to you. So unless 
you start a web or FTP session to your DMZ, no traffic from that network 
is allowed onto yours. The same goes for the Internet. This is 
accomplished via yet another layer of NAT and more importantly, SPI. 
Essentially, you are saying that you don't trust those two networks, and 
they are considered completely separate from your internal LAN. 

What does this get you? Why do it? Because if someone is able to 
compromise your web server (let's say it was IIS and it got rooted 
because it wasn't patched) they can't do much from the DMZ. You don't 
trust anything in it as far as you can throw it; so when they think that 
they just scored big by getting one machine so they can branch out to 
another, they are actually out of luck because they are on an un-trusted 
network that is outside of your real firewall. 

This is a DMZ. 

The power is further extended by the fact that you can use NAT on your 
border device to pass only the ports needed into your DMZ. So if you are 
only running a web server then you only pass TCP 80 to your DMZ machine 
running that daemon; all other connection requests are stopped dead at 
the border router/firewall. 

------------ 

So, imagine someone is scanning you from the Internet when you have this 
configuration. They use whatever program and find port 80 open. Most 
amateur attackers would assume that you are running something on your 
public IP address, like you have your main browsing client sitting right 
on the Internet and it is running a web daemon. So, upon connecting to 
it and getting a web page, they then scurry to dig up their favorite 
http exploit tool that someone else wrote. What they don't know is that 
they are connecting to a private IP in your DMZ. It has no real IP 
address as far as the Internet is concerned. If you don't pass that port 
at the border router then they won't see anything at all when they scan 
you. Now, if they run a working exploit and get root on your web server 
they are going to jump for joy; the thing is, they have little to 
celebrate about. All they have is a barebones server that has very 
little on it. They get no vital info, no browsing history, no personal 
information at all. In fact, all you have on there is maybe your web or 
ftp directory which is safely backed up and saved on your internal 
network and/or on CD. So they ping around on your DMZ and find that 
there isn't anything there. (Your internal firewall doesn't even respond 
to ICMP and has no open ports, so they can't do much at all with it) If 
they are smart they will do an ifconfig or ipconfig and find out they 
are on a private subnet, but this gains them nothing. It is important to 
mention here that using a switch in the DMZ is preferable to a hub since 
a standard sniffer can be used to watch all traffic entering and exiting 
your WAN gateway. Normally, they could just use an ARP poisoning 
technique and sniff across the switch, but in this case they have no 
host to poison because your internal firewall won't pass the malicious 
ARP replies to the machines behind it. Anyway, from there the attacker 
will either leave or destroy the system, which is fine with you since 
you needed to redo that box anyway. 

Either way, you simply reinstall your DMZ machine and unzip your web or 
ftp info/data into the right place and BAM!, you've got a brand new DMZ 
system with no danger to your private network at any point during the 
process. 

Be sure to patch this time. :) 

Qur3shi.
Sharing the Knowledge because Knowledge is a Power !!!