Re: DMZ When to use

From: Duane Arnold (darnold92@Insightbb.com)
Date: 07/05/02 

From: "Duane Arnold" <darnold92@Insightbb.com>
Date: Fri, 05 Jul 2002 17:28:36 GMT

Let's backup here. Currently, I am using Netmeeting to connect to end-user
machines that are not on the same domain or network I am on to see what they
are talking about when they have issues. You're saying there is risk when I
do this with NetMeeting?

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:ag44ng$606$1@news.shlink.de...
> Duane Arnold <darnold92@insightbb.com> wrote:
>
> > DMZ is a feature that a router uses, but I guess it could be used on a
Linux
> > firewall box too.
>
> DMZ stands for 'DeMilitarizedZone', it has nothing to do with routers
> but is a classic architecture and the place for public servr and/or
> proxies when connecting a trusted network to an untrusted network.
>
> You might like to read a good book about firewalls:
>
> Building Internet Firewalls, 2nd Edition
>
> By Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman
> 2nd Edition June 2000
> 1-56592-871-7, Order Number: 8717
>
> http://safari.oreilly.com/main.asp?bookname=fire2&snode=69
>
> > I have not used Linux yet.
>
> It has nothing to do with Linux, it is a question about firewall
architecture
> and therefore is platform independant.
>
> > In the router example, using
> > DMZ for a machine that is connected to the router only exposes that one
> > machine or IP address, if you will, to the Internet.
>
> This is usually called network adress translation (NAT), or to be more
> precise PAT.
>
> > The other machines are still behind the router's firewall.
>
> 'The routers's firewall', what a phrase. Usually the router will do
> packet filtering and deny connection attemps from the outside to the
> hosts behind it. Besides that the use of RfC-1918 addresses for the
> machines in the trusted network makes them unreachable from the outside.
>
> > If some how you had connected ten other
> > machines to that one machine that was using DMZ, they would be exposed
to
> > the Internet too.
>
> This depends only on the ruleset of the packet-filter.
>
> > Looks to me like you should get a router. Getting a router eliminates
the
> > need to ICS between machines. All the machines connected to the router
would
> > be able to use the single IP provided by the ISP.
>
> And still a DMZ can be set up with portforwarding to certain machines
> within the DMZ. This setup is not very common but possible.
>
> > I wondering why you are not using Remote Desktop Sharing of
> > NetMeeting, which comes with the MS operating system, to control a
> > machine remotely
> > instead of RDP. It's much simpler and works great. NetMeeting is what
> > I use to access the desktop of any machine on my network and control
> > that computer remotely.
>
> The H.323 protocol that netmeeting uses is almost to control by
> firewalls (packet-filter, application level gateways, whatever). Never
> use netmeeting over firewalls.
>
> > 'Trusted IP" for all my machines behind the router, since the router
uses
> > DHCP and assigns the same IP to a machine. That way I don't have to get
into
> > opening a specific port to use NetMeeting on any machine connected to
the
> > router.
>
> Instead almost anything is opened automatically since netmeeting uses a
> lot of random ports.
>
> Read a good book about H.323 and think again whether you want to allow
> that.
>
>
http://www.google.de/search?q=H.323+Protocol+Ports&ie=UTF-8&oe=UTF-8&hl=de&b
tnG=Google-Suche&meta=
>
> might get you an idea ...
>
> Wolfgang
> --
> A foreign body and a foreign mind,
> never welcome in the land of the blind.
> Peter Gabriel, Not one of us, 1980

Relevant Pages

  • RE: wirless connection security issues
    ... wrt54gl only has a single port for the incoming network. ... I would set up the router to use the Class C private IP range ... for your machines. ... Subject: wirless connection security issues ...
    (Security-Basics)
  • Re: I cant understand Windows Explorer
    ... 'Network Places' either. ... machines that are turned off. ... duration from the router. ... we have four computers in one room and six in the other. ...
    (microsoft.public.windowsxp.general)
  • Re: resolver problems
    ... If you've got a little router, ... for using the graphical network information tool in system preferences. ... I do not have any of the machines specifically set to route from one ... transforming your network connection to a shared connection from several ...
    (freebsd-questions)
  • Re: Windows 2000 IP Range Question More options
    ... What do you mean by "part" of the network? ... BROADCAST domains then they need to be separate SUBNETS. ... machines plugged into different ports are separated by a router? ... The machines with the IP 190.10.10 addresses work fine amongst each ...
    (microsoft.public.windows.server.general)
  • Re: ATTN: Duane Arnold - Re: Cable modem and 2 computer LAN security question
    ... network that had a MS Domain Controller computer and there is none on ... I don't think the router has anything to do with it. ... The machines on your network are never going to be on a MS Domain ... You start doing high risk things like port forwarding ports on the router ...
    (comp.security.firewalls)
Quantcast