Example of setting up dmz ports. What is DMZ and how to configure it on the router. Video on setting up DMZ Host on a router

Kivshenko Alexey, 1880

This article contains an overview five options for solving the problem of organizing access to corporate network services from the Internet. The review provides an analysis of options for safety and feasibility, which will help both novice and more experienced specialists understand the essence of the issue, refresh and systematize their knowledge. The materials in the article can be used to justify your design decisions.

When considering the options, let's take as an example the network where you want to publish:

Corporate mail server (Web-mail).
Enterprise terminal server (RDP).
Extranet service for counterparties (Web-API).

Option 1: Flat network

In this option, all nodes of the corporate network are contained in one network common to all (“Internal Network”), within which communications between them are not limited. The network is connected to the Internet through a border router/firewall (hereinafter referred to as IFW).

Hosts access the Internet through NAT, and access to services from the Internet through Port forwarding.

Pros of the option:

Minimum functionality requirements IFW(can be done on almost any router, even a home router).
Minimum knowledge requirements for the specialist implementing the option.

Disadvantages of the option:

Minimum level of security. In the event of a hack in which the Intruder gains control of one of the servers published on the Internet, all other nodes and communication channels of the corporate network become available to him for further attacks.

Analogy to real life
Such a network can be compared to a company where staff and clients are in one common room (open space)

hrmaximum.ru

Option 2. DMZ

To eliminate the previously mentioned disadvantage, network nodes accessible from the Internet are placed in a specially designated segment - a demilitarized zone (DMZ). The DMZ is organized using firewalls that separate it from the Internet ( IFW) and from the internal network ( DFW).

In this case, the firewall filtering rules look like this:

From the internal network you can initiate connections to the DMZ and to the WAN (Wide Area Network).
From the DMZ you can initiate connections to the WAN.
From the WAN you can initiate connections to the DMZ.
Initiating connections from the WAN and DMZ to the internal network is prohibited.

Advantages of the option:

Increased network security against hacking of individual services. Even if one of the servers is hacked, the Intruder will not be able to access resources located on the internal network (for example, network printers, video surveillance systems, etc.).

Disadvantages of the option:

Moving servers to the DMZ in itself does not increase their security.
An additional firewall is required to separate the DMZ from the internal network.

Analogy to real life
This version of the network architecture is similar to the organization of work and client areas in a company, where clients can only be in the client area, and staff can be in both the client and work areas. The DMZ segment is precisely an analogue of the client zone.

autobam.ru

Option 3. Dividing services into Front-End and Back-End

As noted earlier, placing a server in a DMZ in no way improves the security of the service itself. One of the options to correct the situation is to divide the functionality of the service into two parts: Front-End and Back-End. Moreover, each part is located on a separate server, between which network interaction is organized. Front-End servers, which implement the functionality of interaction with clients located on the Internet, are placed in the DMZ, and Back-End servers, which implement the remaining functionality, are left on the internal network. For interaction between them on DFW create rules that allow initiation of connections from Front-End to Back-End.

As an example, consider a corporate email service that serves clients both from within the network and from the Internet. Clients from inside use POP3/SMTP, and clients from the Internet work through the Web interface. Typically, at the implementation stage, companies choose the simplest method of deploying the service and place all its components on one server. Then, as the need to ensure information security is realized, the functionality of the service is divided into parts, and the part that is responsible for servicing clients from the Internet (Front-End) is moved to a separate server, which interacts over the network with the server that implements the remaining functionality (Back -End). In this case, the Front-End is placed in the DMZ, and the Back-End remains in the internal segment. For communication between Front-End and Back-End on DFW create a rule that allows initiation of connections from Front-End to Back-End.

Advantages of the option:

In general, attacks directed against the protected service can “stumble” over the Front-End, which will neutralize or significantly reduce possible damage. For example, attacks such as TCP SYN Flood or slow http read aimed at a service will lead to the fact that the Front-End server may become unavailable, while the Back-End will continue to function normally and serve users.
In general, the Back-End server may not have access to the Internet, which, if it is hacked (for example, by locally running malicious code), will make it difficult to manage it remotely from the Internet.
Front-End is well suited for hosting an application-level firewall (for example, Web application firewall) or an intrusion prevention system (IPS, for example snort).

Disadvantages of the option:

For communication between Front-End and Back-End on DFW a rule is created that allows the initiation of a connection from the DMZ to the internal network, which creates threats associated with the use of this rule from other nodes in the DMZ (for example, through the implementation of IP spoofing attacks, ARP poisoning, etc.)
Not all services can be divided into Front-End and Back-End.
The company must implement business processes for updating firewall rules.
The company must implement mechanisms to protect against attacks from Intruders who have gained access to a server in the DMZ.

Notes

In real life, even without dividing servers into Front-End and Back-End, servers from the DMZ very often need to access servers located on the internal network, so the indicated disadvantages of this option will also be valid for the previous considered option.
If we consider the protection of applications running via the Web interface, then even if the server does not support the separation of functions into Front-End and Back-End, the use of an http reverse proxy server (for example, nginx) as a Front-End will minimize the risks associated with attacks for denial of service. For example, SYN flood attacks can make the http reverse proxy unavailable while the Back-End continues to work.

Analogy to real life
This option is essentially similar to the organization of work, in which assistants - secretaries - are used for highly loaded workers. Then the Back-End will be the analogue of a busy employee, and the Front-End will be the analogue of a secretary.

mln.kz

Option 4: Secure DMZ

The DMZ is a part of the network accessible from the Internet, and, as a result, subject to the maximum risk of host compromise. The design of the DMZ and the approaches used in it should provide maximum survivability in conditions where the Intruder has gained control of one of the nodes in the DMZ. As possible attacks, let's consider attacks to which almost all information systems operating with default settings are susceptible:

Protection against DHCP attacks

Despite the fact that DHCP is intended to automate the configuration of IP addresses for workstations, in some companies there are cases when IP addresses for servers are issued through DHCP, but this is a rather bad practice. Therefore, to protect against Rogue DHCP Server, DHCP starvation, it is recommended to completely disable DHCP in the DMZ.

Protection against MAC flood attacks

To protect against MAC flood, switch ports are configured to limit the maximum intensity of broadcast traffic (since these attacks usually generate broadcast traffic). Attacks involving the use of specific (unicast) network addresses will be blocked by MAC filtering, which we discussed earlier.

Protection against UDP flood attacks

Protection against this type of attack is similar to protection against MAC flood, except that filtering is carried out at the IP (L3) level.

Protection against TCP SYN flood attacks

To protect against this attack, the following options are possible:

Protection at the network node using TCP SYN Cookie technology.
Firewall-level protection (subject to subnetting the DMZ) by limiting the intensity of traffic containing TCP SYN requests.

Protection against attacks on network services and Web applications

There is no universal solution to this problem, but established practice is to implement software vulnerability management processes (identification, installation of patches, etc., for example), as well as the use of intrusion detection and prevention systems (IDS/IPS).

Protection against authentication bypass attacks

As in the previous case, there is no universal solution to this problem.
Usually, in the case of a large number of unsuccessful authorization attempts, accounts are blocked to avoid guessing authentication data (for example, a password). But this approach is quite controversial, and here's why.
Firstly, the Intruder can carry out the selection of authentication information with an intensity that does not lead to the blocking of accounts (there are cases when the password was selected over several months with an interval between attempts of several tens of minutes).
Secondly, this feature can be used for denial of service attacks, in which the attacker will deliberately make a large number of authorization attempts in order to block accounts.
The most effective option against attacks of this class will be the use of IDS/IPS systems, which, when detecting password guessing attempts, will block not the account, but the source from which this guessing occurs (for example, block the IP address of the Intruder).

The final list of protective measures for this option:

The DMZ is divided into IP subnets with a separate subnet for each node.
IP addresses are assigned manually by administrators. DHCP is not used.
On the network interfaces to which DMZ nodes are connected, MAC and IP filtering, restrictions on the intensity of broadcast traffic and traffic containing TCP SYN requests are activated.
Automatic negotiation of port types is disabled on switches and the use of native VLAN is prohibited.
A TCP SYN Cookie is configured on DMZ nodes and internal network servers to which these nodes connect.
Software vulnerability management is implemented for DMZ nodes (and preferably the rest of the network).
IDS/IPS intrusion detection and prevention systems are being implemented in the DMZ segment.

Advantages of the option:

High degree of security.

Disadvantages of the option:

Increased requirements for the functionality of equipment.
Labor costs for implementation and support.

Analogy to real life
If we previously compared the DMZ with a client area equipped with sofas and ottomans, then a secure DMZ will be more like an armored cash register.

valmax.com.ua

Option 5. Back connect

The protection measures considered in the previous version were based on the fact that there was a device on the network (switch / router / firewall) capable of implementing them. But in practice, for example, when using a virtual infrastructure (virtual switches often have very limited capabilities), such a device may not exist.

Under these conditions, many of the previously discussed attacks become available to the Violator, the most dangerous of which will be:

attacks that allow you to intercept and modify traffic (ARP Poisoning, CAM table overflow + TCP session hijacking, etc.);
attacks related to the exploitation of vulnerabilities in internal network servers to which connections can be initiated from the DMZ (which is possible by bypassing filtering rules DFW due to IP and MAC spoofing).

The next important feature, which we have not previously considered, but which does not cease to be less important, is that automated workstations (AWS) of users can also be a source (for example, when infected with viruses or Trojans) of harmful effects on servers.

Thus, we are faced with the task of protecting the servers of the internal network from attacks by the Intruder both from the DMZ and from the internal network (infection of the workstation with a Trojan can be interpreted as actions of the Intruder from the internal network).

The approach proposed below is aimed at reducing the number of channels through which an Intruder can attack servers, and there are at least two such channels. The first is the rule on DFW, allowing access to the internal network server from the DMZ (even if limited by IP addresses), and the second is an open network port on the server on which connection requests are expected.

You can close these channels if the internal network server itself builds connections to the server in the DMZ and does this using cryptographically secure network protocols. Then there will be neither an open port nor a rule on DFW.

But the problem is that ordinary server services do not know how to work in this way, and to implement this approach it is necessary to use network tunneling, implemented, for example, using SSH or VPN, and within the tunnels allow connections from the server in the DMZ to the internal network server .

The general scheme of operation of this option is as follows:

An SSH/VPN server is installed on a server in the DMZ, and an SSH/VPN client is installed on a server in the internal network.
The internal network server initiates the construction of a network tunnel to the server in the DMZ. The tunnel is built with mutual authentication of the client and server.
The server from the DMZ, within the constructed tunnel, initiates a connection to the server in the internal network, through which the protected data is transmitted.
A local firewall is configured on the internal network server to filter traffic passing through the tunnel.

Using this option in practice has shown that it is convenient to build network tunnels using OpenVPN, since it has the following important properties:

Cross-platform. You can organize communication on servers with different operating systems.
Possibility of building tunnels with mutual authentication of client and server.
Possibility of using certified cryptography.

At first glance, it may seem that this scheme is unnecessarily complicated and that since you still need to install a local firewall on the internal network server, it would be easier to make the server from the DMZ, as usual, connect to the internal network server, but do it by encrypted connection. Indeed, this option will solve many problems, but it will not be able to provide the main thing - protection against attacks on internal network server vulnerabilities carried out by bypassing the firewall using IP and MAC spoofing.

Advantages of the option:

Architectural reduction of the number of attack vectors on the protected internal network server.
Ensuring security in the absence of network traffic filtering.
Protecting data transmitted over the network from unauthorized viewing and modification.
The ability to selectively increase the level of security of services.
The ability to implement a two-circuit protection system, where the first circuit is provided using firewalling, and the second is organized on the basis of this option.

Disadvantages of the option:

Implementation and maintenance of this protection option requires additional labor costs.
Incompatibility with network intrusion detection and prevention systems (IDS/IPS).
Additional computing load on servers.

Analogy to real life
The main meaning of this option is that the trusted person establishes a connection with the untrusted person, which is similar to the situation when, when issuing loans, the Banks themselves call the potential borrower back to check the data. Add tags

It is becoming more and more difficult to imagine any company that does not have a local network and no access to the Internet. A common technology that helps improve work, provide quick access to information, exchange of documents and data. This is on the one hand. On the other hand, with the widespread use of the Internet, there is a need to solve the problem of protecting information and the local network as a whole. This issue arises especially significantly when the company has publicly accessible Internet services (web and ftp servers, email services, online stores), which are located on a common local network.

Access to such servers is most often provided freely, that is, any user can, without authentication using a login and password, gain access to a resource hosted on a web server, to sections of an ftp server, the mail server will accept mail from other similar mail servers. And there is no guarantee that malicious code will not end up on the server along with the mail, and that among hundreds of users there will not be someone who, for any reason, wants to gain access not only to public services, but also to the organization’s local network. And if the network is built on simple concentrators (hubs), and not on switches (switches), then it will be subject to great danger.

By hacking one of the computers, a hacker can gain access to the entire network

What is it? Having gained access to at least one computer on the local network, a hacker can obtain passwords up to the administrator password, which will allow him to gain access to any information circulating or stored on the network, change access passwords in such a way that the databases will be inaccessible, or will simply be removed out of service. In addition, having gained access to a web server, it can be used to carry out DoS attacks, which can block the functionality of all internal corporate resources.

Therefore, the approach to building systems that include public servers should be different from the approach to building systems based on internal servers. This is dictated by specific risks that arise due to the public availability of the server. The solution is to separate the local network and public servers into separate parts. The one in which public services will be located is called the “demilitarized zone” ( DMZ - Demilitarized Zone).

DMZ - special attention zone

The essence of the DMZ is that it is not directly included in either the internal or external network, and access to it can only be carried out according to predefined firewall rules. There are no users in the DMZ - only servers are located there. A demilitarized zone usually serves to prevent access from the external network to hosts on the internal network by moving all services that require access from the outside from the local network to a special zone. In fact, it turns out that this zone will be a separate subnet with public addresses, protected (or separated) from public and corporate networks by firewalls.

When creating such a zone, corporate network administrators face additional tasks. It is necessary to ensure differentiation of access to resources and servers located in the DMZ, to ensure the confidentiality of information transmitted when users work with these resources, and to monitor user actions. Regarding the information that may be located on the servers, the following can be said. Considering that public services can be hacked, the least important information should be located on them, and any valuable information should be located exclusively on the local network, which will not be accessible from public servers.

On servers located in the DMZ there should not be any information about users, company clients, or other confidential information, there should not be personal mailboxes of employees - all this should be securely “hidden” in a protected part of the local network. And for the information that will be available on public servers, it is necessary to provide for backup archiving with the least possible frequency. In addition, it is recommended for mail servers to use at least a two-server service model, and for web servers to constantly monitor the status of information in order to timely detect and eliminate the consequences of hacking.

The use of firewalls is mandatory when creating a DMZ

Firewalls are used to protect penetration through the demilitarized zone into the corporate network. There are software and hardware screens. Software programs require a machine running UNIX or Windows NT/2000. To install a hardware firewall, you only need to connect it to the network and perform minimal configuration. Typically, software screens are used to protect small networks where there is no need to make a lot of settings related to flexible allocation of bandwidth and traffic restrictions by protocol for users. If the network is large and high performance is required, it becomes more profitable to use hardware firewalls. In many cases, not one, but two firewalls are used - one protects the demilitarized zone from external influence, the second separates it from the internal part of the corporate network.

But in addition to the fact that moving public servers to a demilitarized zone protects the corporate network to a certain extent, it is necessary to think through and ensure protection for the DMZ itself. In this case, it is necessary to resolve issues such as:

protection against attacks on servers and network equipment;
protection of individual servers;
control of email and other content;
audit of user actions.

How can these issues be resolved? It is advisable to “split” the mail server, which is used both for external correspondence and for internal corporate correspondence, into two components - the public one, which will actually be a relay server and will be located in the DMZ, and the main one, located inside the corporate network. The main component ensures the circulation of internal mail, receives external correspondence from the repeater and sends it to it.

One of the main challenges is ensuring secure access to public resources and applications from the corporate intranet. Although a firewall is installed between it and the demilitarized zone, it must be “transparent” to work. There are several options for providing this opportunity to users. The first is the use of terminal access. With this organization of interaction between the client and the server, no program code is transmitted through the established connection, which could include viruses and other malicious inclusions. From the terminal client to the server there is a stream of codes of the user's pressed keyboard keys and mouse states, and back, from the server to the client, binary images of the screens of the server session of the user's browser or mail client are received. Another option is to use a VPN (Virtual Private Network). Thanks to access control and crypto-protection of information, a VPN has the security of a private network, and at the same time takes advantage of all the advantages of a public network.

Securing servers and equipment in a DMZ must be approached with particular care

To protect against attacks on servers and network equipment, special intrusion detection systems are used. The computer on which such a system is installed becomes the first on the path of information flow from the Internet to the DMZ. Systems are configured so that when attacks are detected, they can reconfigure the firewall to the point of completely blocking access. For the purpose of additional, but not permanent control, special software is used - security scanners that check the security of the network, servers and services, and databases. To protect against viruses, anti-virus software and content control tools are installed in the demilitarized zone.

Software and technical solutions for organizing and protecting DMZ are offered by various companies. These are both foreign and Russian. Among them are, for example, Computer Associates, D-Link, Informzashita, Trend Micro and many others.

With the widespread use of the Internet, there is a need to solve the problem of protecting information and the local network as a whole. This issue arises especially significantly when the company has publicly accessible Internet services (web and ftp servers, email services, online stores), which are located on a common local network.

By hacking one of the computers, a hacker can gain access to the entire network

Figure 13.2 – Scheme of a local network with a demilitarized zone

On servers located in the DMZ there should not be any information about users, company clients, or other confidential information, there should not be personal mailboxes of employees - all this should be securely “hidden” in a secure part of the local network. And for the information that will be available on public servers, it is necessary to provide for backup archiving with the least possible frequency. In addition, it is recommended for mail servers to use at least a two-server service model, and for web servers to constantly monitor the status of information in order to timely detect and eliminate the consequences of hacking.

The use of firewalls is mandatory when creating a DMZ

· protection against attacks on servers and network equipment;

· protection of individual servers;

· control of email and other content;

· audit of user actions.

Securing servers and equipment in a DMZ must be approached with particular care

Global Networks

Wide Area Networks (WAN), also called territorial computer networks, serve to provide their services to a large number of end subscribers scattered over a large area - within a region, region, country, continent or the entire globe. Due to the large length of communication channels, building a global network requires very large costs, which include the cost of cables and work on their installation, the cost of switching equipment and intermediate amplification equipment that provides the necessary channel bandwidth, as well as operating costs for constantly maintaining a scattered network in working order. over a large area of network equipment.

Typical subscribers of a global computer network are local networks of enterprises located in different cities and countries that need to exchange data with each other. Individual computers also use the services of global networks.

WANs are usually created by large telecommunications companies to provide paid services to subscribers. Such networks are called public or public. There are also such concepts as network operator and network service provider. The network operator is the company that maintains the normal operation of the network. A service provider, often also called a service provider, is a company that provides paid services to network subscribers. The owner, operator, and service provider may be one company, or they may represent different companies.

Much less often, a global network is completely created by some large corporation for its internal needs. In this case, the network is called private. Very often there is an intermediate option - a corporate network uses the services or equipment of a public wide area network, but supplements these services or equipment with its own.

Depending on what components have to be rented, it is customary to distinguish between networks built using:

Dedicated channels;

Circuit switching;

Packet switching.

The latter case corresponds to the best case scenario, where a packet-switched network is available in all geographic locations that need to be combined into a common corporate network. The first two cases require additional work to build a packet switching network based on the leased funds.

Dedicated channels

Dedicated (or leased) circuits can be obtained from telecommunications companies, which own long-distance circuits, or from telephone companies, which typically lease circuits within a city or region.

You can use leased lines in two ways. The first is to build with their help a territorial network of a certain technology, for example Frame Relay, in which leased leased lines serve to connect intermediate, geographically distributed packet switches.

The second option is to connect only the local networks being connected via dedicated lines, without installing transit packet switches operating using global network technology. The second option is the simplest from a technical point of view, as it is based on the use of routers or remote bridges in interconnected local networks and the absence of global technology protocols such as X.25 or Frame Relay. The same network or link layer packets are transmitted over global channels as in local networks.

It is the second method of using global channels that received the special name “dedicated channel services”, since it really does not use anything else from the technologies of the actual global networks with packet switching.

Dedicated channels were very actively used in the very recent past and are used today, especially when building critical backbone connections between large local networks, since this service guarantees the throughput of the leased channel. However, with a large number of geographically distant points and an intensive mixed schedule between them, the use of this service leads to high costs due to the large number of leased channels.

Today, there is a large selection of dedicated channels - from analogue voice-frequency channels with a bandwidth of 3.1 kHz to digital channels of SDN technology with a throughput of 155 and 622 Mbit/s.

The abbreviation DMZ stands for DeMilitarized Zone, that is, “Demilitarized Zone”. It’s unexpected and unclear what this has to do with the router. However, in fact, this is a very useful thing in a number of cases. This will be discussed in this article.

Purpose and use of DMZ

A DMZ is a network segment created for services and programs that require direct access to the Internet. Direct access is necessary for torrents, instant messengers, online games, and some other programs. And you can’t do without it if you want to install a video surveillance camera and have access to it via the Internet.

If the computer on which the program is running connects to the Internet directly, bypassing the router, then there is no need to use DMZ. But if the connection is made through a router, then it will not be possible to “reach” the program from the Internet, because all requests will be received by the router and not forwarded inside the local network.

To solve this problem, port forwarding is usually used on the router. There is information about this on our website. However, this is not always convenient and some people prefer to set up a DMZ. If you set up a DMZ on your router and add the desired network node to it, for example, a PC running a game server or a DVR to which an IP camera is connected, this node will be visible from the external network as if it were directly connected to the Internet . Nothing will change for the rest of the devices on your network - they will work the same as before.

You should be careful about all these settings. Since both port forwarding and DMZ are a potential security hole. To improve security, large companies often create a separate network for the DMZ. In order to block access from the DMZ network to other computers, an additional router is used.

Setting up DMZ on the router

Routers only allow one device to be added to the DMZ. The router must receive a “white” IP address. Only in this case will it be possible to access it from the global network. Information about this can be obtained from your Internet provider. Some providers provide an external IP address for free, but this service often requires an additional fee.

Setting a Static IP Address

Only a computer with a static IP address can be added to the DMZ. Therefore, the first thing we do is change it. To do this, open the properties of the network connection and in the TCP/IP settings set a static IP address in the address range of your network. For example, if your router has IP 192.168.0.1, then you can specify 192.168.0.10 for your computer. The standard subnet mask is 255.255.255.0. And in the “Gateway” field you need to indicate the address of your router.

Please note that the IP address assigned to the computer should not be in the range of addresses distributed.

At this point, the computer setup is completed and you can proceed to the router settings.

Setting up the router

The first step is to enable DMZ on the router, since it is always disabled by default.

Find the corresponding menu item in the device’s web interface:

On Asus routers, the required tab is called DMZ.
On TP-Link routers, open the “Forwarding” item, and there will be a DMZ sub-item.
At D-Link, look for the “Firewall” item.

In any case, on the settings tab you need to check the “Enable” box. And next to it, find a field called “DMZ Host Address” or “Visible Station Address” (depending on the router model, there may be other options). In this field we enter the static address of the computer or other device that needs to be added to the DMZ. In our case it is 192.168.0.10.

Save the settings and restart the router. That's all: all ports on the selected PC are open. Any program that uses incoming connections will think that it is accessing the network directly. All other programs will work as normal.

Below is an example of setting up a router with an English interface.

Creating a DMZ is a convenient way to simplify the work of the necessary programs, but you should keep in mind that open access to a PC increases the risks of network attacks and virus infections.

Therefore, it is necessary to install a firewall and antivirus program on the device used as a DMZ host.

Description

A demilitarized zone or DMZ is a network segment with white-label addressing, separated by a firewall from the Internet and the organization’s local network. Servers that need to be accessible from the Internet, such as a mail or web server, are usually placed in a DMZ. Since servers in the DMZ network are separated from the local network by a firewall, if they are hacked, an attacker will not be able to gain access to local network resources.

Settings

The demilitarized zone is created in the “providers and networks” module. When creating it, you must specify the IP address of the Internet Control Server and the DMZ network mask, and also select the network interface for the DMZ. For security reasons, a separate network interface is usually used for the DMZ.

By default, servers located in the DMZ do not have access to the Internet and local network, so access for them must be configured using firewall rules.

The “NAT from local networks” checkbox allows you to control the translation of local addresses to the DMZ network. By default it is disabled, i.e. The NAT service for the DMZ network interface does not work, addresses are translated without changes.

Important: NAT itself for the DMZ network is disabled on the external interfaces of the ICS, so “white” IP addresses must be used to address it. Setting up a DMZ network makes sense if you need to control external access to servers on the local network that have “white” IP addresses. In all other cases, a regular local network is configured.

Categories

Editor's Choice

Example of setting up dmz ports. What is DMZ and how to configure it on the router. Video on setting up DMZ Host on a router

Option 1: Flat network

Option 2. DMZ

Option 3. Dividing services into Front-End and Back-End

Option 4: Secure DMZ

Protection against DHCP attacks

Protection against MAC flood attacks

Protection against UDP flood attacks

Protection against TCP SYN flood attacks

Protection against attacks on network services and Web applications

Protection against authentication bypass attacks

The final list of protective measures for this option:

Option 5. Back connect

Purpose and use of DMZ

Setting up DMZ on the router

Setting a Static IP Address

Setting up the router

Description

Settings

Search

Subscription

Popular posts

The last notes