Re: Suggestions for Firewall/Port selection hardware box

From: Nig (nig@nigs.niet)
Date: 10/31/02 

Date: Thu, 31 Oct 2002 21:22:04 +0000
From: Nig <nig@nigs.niet>

Ron Loewy wrote:
>
> Hi,
>
> I have a small LAN that currently sits behind a NAT connected to a DSL
> modem.
>
> I would like to add a Windows 2K Server on this network, and expose some of
> it's ports to the "public". Specifically - I want to be able to expose it's
> mail server ports, web hosting port and several "custom" ports for my
> application.
>
> I know that low end Router/NAT/Firewall devices like what LinkSys offers
> have a DMZ port - but I do not think that this allows me to control the
> ports that can be accessed.
>
> Any ideas for a reliable, not too expensive box that will allow me to do
> something like this - so I will be able to use the W2K server for my LAN,
> but expose some functionality to the outside world?

Most low-end routers support DMZ or port forwarding functionality but
the problem with them is that the host that is either the DMZ or port
forward host is still connected to your internal LAN, so if that host is
compromised, all of your network could be got at. In the home router
world, DMZ means 'forward all ports to the DMZ host'. Yeah, right!

If you're serious about offering these services via your cable/ADSL
link, then you should think about separation of your networks - trusted
(your LAN), semi-trusted but still extremely dodgy (your DMZ host),
un-trusted (everyone else!). Not always possible in the home, I'm sure,
but if you are involved in running mail servers, web servers etc., you
need to think about it, especially if involved in development
activities. I'm not aware of any sub$300-$400 home routers that will
allow you to do this, but a *nix box would do it quite nicely, I'm sure,
as would some of the appliances (PIX, SonicWall, WatchGuard) available,
but your costs are starting to rise with these.

If you have to run these services behind a cheapo router, then make sure
all patches are applied to the services you are running and they are
set-up not to allow things like mail relaying, anonymous FTP put and so
on, run some sort of IDS on the public host, run current AV, run
firewalls on all other LAN machines and do not have any MS networking
between the public host and your LAN. You may find MS's tools, IISLockd
and URLScan useful if you are running a Windows host and the MS 'All
Your' Base Security Analyzer can help with making sure your patches are
current.

Paranoid? Oh yes, indeedy;-)

Relevant Pages

  • Re: AD Authentication on a DMZ ?
    ... If i understand you correct, you have an application that need's to contact the DC in the LAN, therefore you have to open the ports in the firewall. ... Basically the DMZ should not contain domain internal servers like DC's, the reason for DMZ is to have servers connected to the internet relocated from the internal LAN. ... Those applications are in our DMZ and our DCs are in our LAN. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SKY USERS
    ... When you set the default DMZ to a non existant IP on the LAN the ... ports register as being stealthed and open if you don't. ... firewall, & I get the anomalous results from all sites mentioned in ...
    (uk.telecom.broadband)
  • Re: Exhange 5.5 Behind Firewall?
    ... > internal LAN to our DMZ for protection. ... > and open ports just to allow the Exchange server to work. ...
    (microsoft.public.security)
  • Re: SKY USERS
    ... When you set the default DMZ to a non existant IP on the LAN the ports ... Stealth isn't all its cracked up to be anyway. ...
    (uk.telecom.broadband)
  • Re: Router stops routing after about two hours
    ... >perfectly, routing between our LAN, DMZ and the internet... ... interface where you will encounter b0rken windoze boxes who can't find ... the host itself (in which case if you look at the /sbin/ifconfig output, ...
    (alt.os.linux.redhat)