Re: DMZ When to use
From: Wolfgang Kueter (wolfgang@shconnect.de)Date: 07/05/02
- Next message: Tore Lund: "Re: DMZ When to use"
- Previous message: : "Using ICQ??"
- In reply to: Duane Arnold: "Re: DMZ When to use"
- Next in thread: : "Re: DMZ When to use"
- Reply: : "Re: DMZ When to use"
- Reply: Duane Arnold: "Re: DMZ When to use"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Wolfgang Kueter <wolfgang@shconnect.de> Date: Fri, 5 Jul 2002 12:50:56 +0000 (UTC)
Duane Arnold <darnold92@insightbb.com> wrote:
> DMZ is a feature that a router uses, but I guess it could be used on a Linux
> firewall box too.
DMZ stands for 'DeMilitarizedZone', it has nothing to do with routers
but is a classic architecture and the place for public servr and/or
proxies when connecting a trusted network to an untrusted network.
You might like to read a good book about firewalls:
Building Internet Firewalls, 2nd Edition
By Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman
2nd Edition June 2000
1-56592-871-7, Order Number: 8717
http://safari.oreilly.com/main.asp?bookname=fire2&snode=69
> I have not used Linux yet.
It has nothing to do with Linux, it is a question about firewall architecture
and therefore is platform independant.
> In the router example, using
> DMZ for a machine that is connected to the router only exposes that one
> machine or IP address, if you will, to the Internet.
This is usually called network adress translation (NAT), or to be more
precise PAT.
> The other machines are still behind the router's firewall.
'The routers's firewall', what a phrase. Usually the router will do
packet filtering and deny connection attemps from the outside to the
hosts behind it. Besides that the use of RfC-1918 addresses for the
machines in the trusted network makes them unreachable from the outside.
> If some how you had connected ten other
> machines to that one machine that was using DMZ, they would be exposed to
> the Internet too.
This depends only on the ruleset of the packet-filter.
> Looks to me like you should get a router. Getting a router eliminates the
> need to ICS between machines. All the machines connected to the router would
> be able to use the single IP provided by the ISP.
And still a DMZ can be set up with portforwarding to certain machines
within the DMZ. This setup is not very common but possible.
> I wondering why you are not using Remote Desktop Sharing of
> NetMeeting, which comes with the MS operating system, to control a
> machine remotely
> instead of RDP. It's much simpler and works great. NetMeeting is what
> I use to access the desktop of any machine on my network and control
> that computer remotely.
The H.323 protocol that netmeeting uses is almost to control by
firewalls (packet-filter, application level gateways, whatever). Never
use netmeeting over firewalls.
> 'Trusted IP" for all my machines behind the router, since the router uses
> DHCP and assigns the same IP to a machine. That way I don't have to get into
> opening a specific port to use NetMeeting on any machine connected to the
> router.
Instead almost anything is opened automatically since netmeeting uses a
lot of random ports.
Read a good book about H.323 and think again whether you want to allow
that.
http://www.google.de/search?q=H.323+Protocol+Ports&ie=UTF-8&oe=UTF-8&hl=de&btnG=Google-Suche&meta=
might get you an idea ...
Wolfgang
-- A foreign body and a foreign mind, never welcome in the land of the blind. Peter Gabriel, Not one of us, 1980
- Next message: Tore Lund: "Re: DMZ When to use"
- Previous message: : "Using ICQ??"
- In reply to: Duane Arnold: "Re: DMZ When to use"
- Next in thread: : "Re: DMZ When to use"
- Reply: : "Re: DMZ When to use"
- Reply: Duane Arnold: "Re: DMZ When to use"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
