Professional Documents
Culture Documents
Hosts in the DMZ have limited connectivity to specific hosts in the internal network, though
communication with other hosts in the DMZ and to the external network is allowed. This allows
hosts in the DMZ to provide services to both the internal and external network, while an
intervening firewall controls the traffic between the DMZ servers and the internal network
clients.
A DMZ configuration typically provides security from external attacks, but it typically has no
bearing on internal attacks such as sniffing communication via a packet analyzer or spoofing
such as e-mail spoofing.
• web servers
• mail servers
• FTP servers
• VoIP servers
• DNS servers
IP Addressing Scheme
A DMZ can use either public or private IP addresses, depending on its architecture and firewall
configuration. If you use public addresses, you'll usually need to subnet the IP address block that
you have assigned to you by your ISP, so that you have two separate network IDs. One of the
network IDs will be used for the external interface of your firewall and the other will be used for
the DMZ network.
When you subnet your IP address block, you must configure your router to know how to get to
the DMZ subnet.
You can create a DMZ within the same network ID that you use for your internal network, by
using VirtualLAN (VLAN) tagging. This is a method of partitioning traffic that shares a common
switch, by creating virtual local area networks as described in IEEE standard 802.1q. This
specification creates a standard way of tagging Ethernet frames with information about VLAN
membership.
If you use private IP addresses for the DMZ, you'll need a Network Address Translation (NAT)
device to translate the private addresses to a public address at the Internet edge. Some firewalls
provide address translation
MDZ Models:
When you use a single firewall to create a DMZ, it's called a trihomed DMZ. That's because the
firewall computer or appliance has interfaces to three separate networks:
Port Mapping is an advanced WinRoute feature that allows servers to be hosted securely behind
NAT. Internet servers listen on well known ports for uninitiated connections. In other words, the
server does not know in advance where a connection may come from. Examples of well known
ports include HTTP (TCP port 80), SMTP (TCP port 25), Telnet (TCP port 23). If these types of
well known services should be available to the Internet, then port mapping must be used to allow
NAT to make exceptions for these services by redirecting these inbound connections to the
appropriate local server.
Purpose
Port forwarding allows remote computers, for example, computers on the Internet, to connect to
a specific computer or service within a private local area network (LAN)
There is also reverse port forwarding, also known as a reverse port tunneling. This is basically
composed of usually a session server and a session client. The session server connects with the
session port and the session client connects with the session server component, thus a session
server. For example, when a connection is established, the session server will tune into a port is
to be forwarded. When a connection is done, this connection would be directly forwarded to the
session client, with a destination accessible to that session client. This is usually done when an
access needs to be made to a port behind a outer or a firewall, but that router or that firewall is
not allowing such access. In this case, reverse port forwarding would be necessary.