cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1268
Views
4
Helpful
13
Replies

DMZ Implementation

TheGoob
Level 4
Level 4

Hello..

PART 1

So currently I have a simple WAN/LAN setup. 5 [usable] WAN IP's and 1 LAN (192.168.5.X)

On the LAN I have everything from XBOX to Wifi to Home PC's/Printers and then I have Linux servers [email, web] and then some NAS Servers. I wanted to make my network more secure and known about DMZ in theory but not in practice.

It is my understanding I would want to separate the "server" stuff from the home lan "fun" stuff and put it in the DMZ?

Would I create;

LAN - 192.168.1.0 -  Home Wifi, Xbox, PS5, Litter Robot, TV's, PC's

DMZ - 192.168.5.0 - Email Servers, Web Servers, NAS, NGINX [Reverse Proxy]

 

1 Accepted Solution

Accepted Solutions

Exactly'

We put any Server (any services) access from outside in DMZ and put other network in other Zone' in such' the client outside access DMZ can not (by fw policy) access other networks.

MHM

View solution in original post

13 Replies 13

Exactly'

We put any Server (any services) access from outside in DMZ and put other network in other Zone' in such' the client outside access DMZ can not (by fw policy) access other networks.

MHM

Hi!

Thank you for confirming what I was hoping was correct. As far as Internal access, will DMZ and LAN (more so PC’s on LAN) be able to access the NAS/Servers on the DMZ from an Internal perspective without any rules or will I also need to create inter-vlan?-routing?
Cause naturally I’d want LAN to DMZ and DMZ to LAN access.   

@TheGoob you should probably also consider segmenting the IOT type devices (PS5, TV etc) into their own network (separate interface behind the firewall), these devices traditionally only need internet access.

you dont need Policy but you need twice NAT if the client in IN access server in DMZ using it public IP.
MHM

I am not sure I follow the twice NAT in this instance. LAN  (192.168.1.15 (TV)) would want to connect to DMZ (192.168.5.15 (NAS)) to stream a movie “locally”.  

As far as Public IP, the DMZ devices, email/web would indeed have their own WAN IP then NAT’d to their correct DMZ IP. The LAN would have its own WAN IP as well.

 

Also I see what you mean about an IoT network as well for TV’s etc. I like that. 

If client IN use private IP of server in DMZ then you dont need twice NAT

If it use public IP then 

client IN will NAT to public IP then traffic hairpin and public IP of server will NAT to it private IP.

MHM

Oh, so twice NAT would be if LAN IP was connecting to the WAN IP of the DMZ Host, as opposed to LAN ip to DMZ (local) IP?

Correct 

MHM

Awesome! Thank you and all for assisting me with this. It was such an easy concept but for some reason I kept overthinking it. 
one final(I think) question for now… it seems kind of silly to go the twice NAT route, why would someone do this if it were local to begin with?   

One more question. So I now understand the concept and deployment of DMZ but am wondering about its practicality of it in my situation. As I mentioned I have some Internet facing servers, such as 2 email servers and some web stuff, but we are talking about 2-3 ports that are only opened on these devices. Wouldn’t making them DMZ devices actually open them to more security risks due to the simplicity of how many ports are opened? 

You should limit the ports allowed inbound to your DMZ servers from the Internet to only the ports needed.  If http then TCP/80 if email TCP/25 or whatever ports you are using no more.  Ideally, to be 'more secure' you would put every device in its own DMZ and only allow the traffic that is needed between the DMZs.  A concept known as least privilege access.  A post above mentioned your IoT devices only need Internet access.  If they can only access the internet then if it gets compromised, they cant use that device to pivot inside your network.

That was where I struggled for a while.

DMZ - Open to the Internet (access allowed “incoming” with opening ports but completely blocked from rest of Internal Network/Subnets for Security of breach. In order to allow another host on a diff subnet on the same network, I’d need to open said ports for that access as well. So really even though DMZ is on the same “hardware” it’s really like having a separate router and needs to be accessed/viewed as such for access?

Only if you are trying to get to your servers in the DMZ by their external IPs.  If you have internal DNS and have records using internal IPs of your hosts in the DMZ then you wouldn't need to twice NAT to get to them.

Review Cisco Networking for a $25 gift card