• Demilitarization of the local network. Four best practices for setting up a DMZ (demilitarized zone)

    DMZ or Demilitarized Zone (DMZ) is a network security technology in which servers responding to requests from an external network are located in a special network segment and are limited in access to main network segments using firewall (firewall), in order to minimize damage during the hacking of one of the services located in the zone.

    Single firewall configuration

    Scheme with one firewall

    In this scheme DMZ the internal network and external network are connected to different ports of the router (acting as a firewall), which controls connections between networks. This scheme is easy to implement and requires only one additional port. However, if the router is hacked (or configured incorrectly), the network becomes vulnerable directly from the external network.

    Dual firewall configuration

    In configuration with 2 DMZ firewalls connects to two routers, one of which limits connections from the external network to DMZ, and the second controls connections from DMZ to the internal network. This scheme allows you to minimize the consequences of hacking any of the firewalls or servers interacting with the external network - until the internal firewall is hacked, the attacker will not have arbitrary access to the internal network.

    Three firewall configuration

    There is a rare configuration with 3 firewalls. In this configuration, the first one takes over requests from the external network, the second one controls the DMZ network connections, and the third one controls the internal network connections. In such a configuration it is usually DMZ and the internal network are hidden behind NAT (Network Address Translation).

    One of the key features DMZ is not only traffic filtering on the internal firewall, but also the requirement of mandatory strong cryptography in the interaction between active equipment of the internal network and DMZ. In particular, there should be no situation in which it is possible to process a request from the server in DMZ without authorization. If the DMZ is used to ensure the protection of information inside the perimeter from leakage from within, similar requirements are imposed for processing user requests from the internal network.

    In this article I will tell you what it is DMZ host or a server on the router. And also how to open ports using the DMZ function. Since you are already reading this article, then you probably already know what a virtual server is and why you need to do it. If not, then . In short, you need to open a port on the router when you exchange files from your computer with other Internet users. For example, to run an FTP server running on a home PC, or a torrent client, or an online game. In this article we will learn how to open all ports at once using the so-called DMZ host using the example of TP-Link, Asus, Zyxel Keenetic and Tenda routers

    DMZ(“demilitarized zone”) is a technology with which you can open absolutely all ports on one specific device

    How to use a DMZ server on a router?

    Using the method described above, we use the router to open only one port for one device on the network. Through a DMZ host, you can open several ports at once. However, this should be done only in extreme cases, since in this case the device is completely open to access from the Internet. However, sometimes this is necessary, for example, to configure the viewing of CCTV cameras connected via a DVR, or to organize a game server.

    Let me give you an example: often when connecting a video surveillance recorder, port 80 is used by default and it is simply impossible to change it in the settings. At the same time, this port is also busy on the router and it will not be possible to redirect it. In this case, the DMZ host on the router comes to the rescue.

    Virtual DMZ server on Tenda router

    In Tenda wifi routers, the function of opening ports is called “ Virtual server". In the admin panel it can be found in the “Advanced settings - Virtual server” section

    But first you need to assign a static IP address to the computer to which you want to do port forwarding, otherwise the next time you turn it on via DHCP, the router may assign it a different address and all our settings will be lost. Read how to do this.

    When a specific address is reserved for a computer, enter it in the “Virtual Server” section in the “Internal IP Address” cell.


    • Local network port - select the one most suitable for our needs from the drop-down list - ftp, http, pop3, SMTP and so on...
    • WAN port - indicate the same as in the previous case
    • Protocol - set TCP&UDP

    And click the “Add” button

    After saving the settings, the port through the Tenda router will open and we can easily provide access from the Internet to certain resources on the computer.

    Activating the DMZ host on the Tenda wifi router is in “Advanced settings”. Everything is simple here - move the toggle switch to the on position and enter the IP address of the computer or other device on which we want to open all ports

    Setting up DMZ on a TP-Link router

    The DMZ function on the TP-Link router in the new version of the web interface is located in “Advanced settings” in the “ NAT forwarding - DMZ". Everything is simple here - turn it on with a checkmark and indicate the IP address of the computer on which all ports will open.

    DMZ host on Asus router

    On the Asus router, the host DMZ setting is identical, and it is located in the main menu section “ Internet»

    Setting up DMZ Zyxel Keenetic

    The Zyxel Keenetic router also has a similar function, but it is not called DMZ, but is hidden in the “ Security - Firewall«.

    First, select here the type of network to which we want to allow access - this is Home Network.
    And then click on the “Add Rule” button


    Next, we leave everything as default, except for one item - “Destination IP address”. Here you need to select “One” and in the text field write the IP address of the computer on which you need to open all ports. Please note that in the “Protocol” column we now select TCP.

    We do everything as in the picture below:

    On the updated Keenetic DMZ line, it is also configured in the “ Firewall". Click here “Add Rule”

    We enable it with a tick and write everything the same as in the old version of Zyxel

    To broaden your horizons, I also advise you to read the instructions from the Seixel company.

    Video on setting up DMZ Host on a router

    It is becoming more and more difficult to imagine any company that does not have a local network and no access to the Internet. A common technology that helps improve work, provide quick access to information, exchange of documents and data. This is on the one hand. On the other hand, with the widespread use of the Internet, there is a need to solve the problem of protecting information and the local network as a whole. This issue arises especially significantly when the company has publicly accessible Internet services (web and ftp servers, email services, online stores), which are located on a common local network.

    Access to such servers is most often provided freely, that is, any user can, without authentication using a login and password, gain access to a resource hosted on a web server, to sections of an ftp server, the mail server will accept mail from other similar mail servers. And there is no guarantee that malicious code will not end up on the server along with the mail, and that among hundreds of users there will not be someone who, for any reason, wants to gain access not only to public services, but also to the organization’s local network. And if the network is built on simple concentrators (hubs), and not on switches (switches), then it will be subject to great danger.

    By hacking one of the computers, a hacker can gain access to the entire network

    What is this? Having gained access to at least one computer on the local network, a hacker can obtain passwords up to the administrator password, which will allow him to gain access to any information circulating or stored on the network, change access passwords in such a way that the databases will be inaccessible, or will simply be removed out of order. In addition, having gained access to a web server, it can be used to carry out DoS attacks, which can block the functionality of all internal corporate resources.

    Therefore, the approach to building systems that include public servers should be different from the approach to building systems based on internal servers. This is dictated by specific risks that arise due to the public availability of the server. The solution is to separate the local network and public servers into separate parts. The one in which public services will be located is called the “demilitarized zone” ( DMZ - Demilitarized Zone).

    DMZ - special attention zone

    The essence of the DMZ is that it is not directly included in either the internal or external network, and access to it can only be carried out according to predefined firewall rules. There are no users in the DMZ - only servers are located there. A demilitarized zone usually serves to prevent access from the external network to hosts on the internal network by moving all services that require access from the outside from the local network to a special zone. In fact, it turns out that this zone will be a separate subnet with public addresses, protected (or separated) from public and corporate networks by firewalls.

    When creating such a zone, corporate network administrators face additional tasks. It is necessary to ensure differentiation of access to resources and servers located in the DMZ, to ensure the confidentiality of information transmitted when users work with these resources, and to monitor user actions. Regarding the information that may be located on the servers, the following can be said. Considering that public services can be hacked, the least important information should be located on them, and any valuable information should be located exclusively on the local network, which will not be accessible from public servers.

    On servers located in the DMZ, there should be no information about users, company clients, or other confidential information; there should be no personal mailboxes for employees - all this should be securely “hidden” in a secure part of the local network. And for the information that will be available on public servers, it is necessary to provide for backup archiving with the least possible frequency. In addition, it is recommended for mail servers to use at least a two-server service model, and for web servers to constantly monitor the status of information in order to timely detect and eliminate the consequences of hacking.

    The use of firewalls is mandatory when creating a DMZ

    Firewalls are used to protect penetration through the demilitarized zone into the corporate network. There are software and hardware screens. Software programs require a machine running UNIX or Windows NT/2000. To install a hardware firewall, you only need to connect it to the network and perform minimal configuration. Typically, software screens are used to protect small networks where there is no need to make a lot of settings related to flexible allocation of bandwidth and traffic restrictions by protocol for users. If the network is large and high performance is required, it becomes more profitable to use hardware firewalls. In many cases, not one, but two firewalls are used - one protects the demilitarized zone from external influence, the second separates it from the internal part of the corporate network.

    But in addition to the fact that moving public servers to a demilitarized zone protects the corporate network to a certain extent, it is necessary to think through and ensure protection for the DMZ itself. In this case, it is necessary to resolve issues such as:

    • protection against attacks on servers and network equipment;
    • protection of individual servers;
    • control of email and other content;
    • audit of user actions.

    How can these issues be resolved? It is advisable to “split” the mail server, which is used both for external correspondence and for internal corporate correspondence, into two components - the public one, which will actually be a relay server and will be located in the DMZ, and the main one, located inside the corporate network. The main component ensures the circulation of internal mail, receives external correspondence from the repeater and sends it to it.

    One of the main challenges is ensuring secure access to public resources and applications from the corporate intranet. Although a firewall is installed between it and the demilitarized zone, it must be “transparent” to work. There are several options for providing this opportunity to users. The first is the use of terminal access. With this organization of interaction between the client and the server, no program code is transmitted through the established connection, which could include viruses and other malicious inclusions. From the terminal client to the server there is a stream of codes of the user's pressed keyboard keys and mouse states, and back, from the server to the client, binary images of the screens of the server session of the user's browser or mail client are received. Another option is to use a VPN (Virtual Private Network). Thanks to access control and crypto-protection of information, a VPN has the security of a private network, and at the same time takes advantage of all the advantages of a public network.

    Securing servers and equipment in a DMZ must be approached with particular care

    To protect against attacks on servers and network equipment, special intrusion detection systems are used. The computer on which such a system is installed becomes the first on the path of information flow from the Internet to the DMZ. Systems are configured so that when attacks are detected, they can reconfigure the firewall to completely block access. For the purpose of additional, but not permanent control, special software is used - security scanners that check the security of the network, servers and services, and databases. To protect against viruses, anti-virus software is installed in the demilitarized zone, as well as content control tools.

    Software and technical solutions for organizing and protecting DMZ are offered by various companies. These are both foreign and Russian. Among them are, for example, Computer Associates, D-Link, Informzashita, Trend Micro and many others.


    Kivshenko Alexey, 1880

    This article contains an overview five options for solving the problem of organizing access to corporate network services from the Internet. The review provides an analysis of options for safety and feasibility, which will help both novice and more experienced specialists understand the essence of the issue, refresh and systematize their knowledge. The materials in the article can be used to justify your design decisions.

    When considering the options, let's take as an example the network where you want to publish:

    1. Corporate mail server (Web-mail).
    2. Enterprise terminal server (RDP).
    3. Extranet service for counterparties (Web-API).

    Option 1: Flat network

    In this option, all nodes of the corporate network are contained in one network common to all (“Internal Network”), within which communications between them are not limited. The network is connected to the Internet through an edge router/firewall (hereinafter referred to as IFW).

    Hosts access the Internet through NAT, and access to services from the Internet through Port forwarding.

    Pros of the option:

    1. Minimum functionality requirements IFW(can be done on almost any router, even a home router).
    2. Minimum knowledge requirements for the specialist implementing the option.
    Disadvantages of the option:
    1. Minimum level of security. In the event of a hack in which the Intruder gains control of one of the servers published on the Internet, all other nodes and communication channels of the corporate network become available to him for further attacks.
    Analogy to real life
    Such a network can be compared to a company where staff and clients are in one common room (open space)


    hrmaximum.ru

    Option 2. DMZ

    To eliminate the previously mentioned disadvantage, network nodes accessible from the Internet are placed in a specially designated segment - a demilitarized zone (DMZ). The DMZ is organized using firewalls that separate it from the Internet ( IFW) and from the internal network ( DFW).


    In this case, the firewall filtering rules look like this:
    1. From the internal network you can initiate connections to the DMZ and to the WAN (Wide Area Network).
    2. From the DMZ you can initiate connections to the WAN.
    3. From the WAN you can initiate connections to the DMZ.
    4. Initiating connections from the WAN and DMZ to the internal network is prohibited.


    Advantages of the option:
    1. Increased network security against hacking of individual services. Even if one of the servers is hacked, the Intruder will not be able to access resources located on the internal network (for example, network printers, video surveillance systems, etc.).
    Disadvantages of the option:
    1. Moving servers to the DMZ in itself does not increase their security.
    2. An additional firewall is required to separate the DMZ from the internal network.
    Analogy to real life
    This version of the network architecture is similar to the organization of work and client areas in a company, where clients can only be in the client area, and staff can be in both the client and work areas. The DMZ segment is precisely an analogue of the client zone.


    autobam.ru

    Option 3. Dividing services into Front-End and Back-End

    As noted earlier, placing a server in a DMZ in no way improves the security of the service itself. One of the options to correct the situation is to divide the functionality of the service into two parts: Front-End and Back-End. Moreover, each part is located on a separate server, between which network interaction is organized. Front-End servers, which implement the functionality of interaction with clients located on the Internet, are placed in the DMZ, and Back-End servers, which implement the remaining functionality, are left on the internal network. For interaction between them on DFW create rules that allow initiation of connections from Front-End to Back-End.

    As an example, consider a corporate email service that serves clients both from within the network and from the Internet. Clients from inside use POP3/SMTP, and clients from the Internet work through the Web interface. Typically, at the implementation stage, companies choose the simplest method of deploying the service and place all its components on one server. Then, as the need to ensure information security is realized, the functionality of the service is divided into parts, and the part that is responsible for servicing clients from the Internet (Front-End) is moved to a separate server, which interacts over the network with the server that implements the remaining functionality (Back -End). In this case, the Front-End is placed in the DMZ, and the Back-End remains in the internal segment. For communication between Front-End and Back-End on DFW create a rule that allows initiation of connections from Front-End to Back-End.

    Advantages of the option:

    1. In general, attacks directed against the protected service can “stumble” over the Front-End, which will neutralize or significantly reduce possible damage. For example, attacks like TCP SYN Flood or slow http read aimed at a service will lead to the fact that the Front-End server may become unavailable, while the Back-End will continue to function normally and serve users.
    2. In general, the Back-End server may not have access to the Internet, which, if it is hacked (for example, by locally running malicious code), will make it difficult to manage it remotely from the Internet.
    3. Front-End is well suited for hosting an application-level firewall (for example, Web application firewall) or an intrusion prevention system (IPS, for example snort).
    Disadvantages of the option:
    1. For communication between Front-End and Back-End on DFW a rule is created that allows the initiation of a connection from the DMZ to the internal network, which creates threats associated with the use of this rule from other nodes in the DMZ (for example, through the implementation of IP spoofing attacks, ARP poisoning, etc.)
    2. Not all services can be divided into Front-End and Back-End.
    3. The company must implement business processes for updating firewall rules.
    4. The company must implement mechanisms to protect against attacks from Intruders who have gained access to a server in the DMZ.
    Notes
    1. In real life, even without dividing servers into Front-End and Back-End, servers from the DMZ very often need to access servers located on the internal network, so the indicated disadvantages of this option will also be valid for the previous considered option.
    2. If we consider the protection of applications running via the Web interface, then even if the server does not support the separation of functions into Front-End and Back-End, the use of an http reverse proxy server (for example, nginx) as a Front-End will minimize the risks associated with attacks for denial of service. For example, SYN flood attacks can make the http reverse proxy unavailable while the Back-End continues to work.
    Analogy to real life
    This option is essentially similar to the organization of work, in which assistants - secretaries - are used for highly loaded workers. Then the Back-End will be the analogue of a busy employee, and the Front-End will be the analogue of a secretary.


    mln.kz

    Option 4: Secure DMZ

    The DMZ is a part of the network accessible from the Internet, and, as a result, subject to the maximum risk of host compromise. The design of the DMZ and the approaches used in it should provide maximum survivability in conditions where the Intruder has gained control of one of the nodes in the DMZ. As possible attacks, let's consider attacks to which almost all information systems operating with default settings are susceptible:

    Protection against DHCP attacks

    Despite the fact that DHCP is intended to automate the configuration of IP addresses of workstations, in some companies there are cases when IP addresses for servers are issued through DHCP, but this is a rather bad practice. Therefore, to protect against Rogue DHCP Server, DHCP starvation, it is recommended to completely disable DHCP in the DMZ.

    Protection against MAC flood attacks

    To protect against MAC flood, switch ports are configured to limit the maximum intensity of broadcast traffic (since these attacks usually generate broadcast traffic). Attacks involving the use of specific (unicast) network addresses will be blocked by MAC filtering, which we discussed earlier.

    Protection against UDP flood attacks

    Protection against this type of attack is similar to protection against MAC flood, except that filtering is carried out at the IP (L3) level.

    Protection against TCP SYN flood attacks

    To protect against this attack, the following options are possible:
    1. Protection at the network node using TCP SYN Cookie technology.
    2. Firewall-level protection (subject to subnetting the DMZ) by limiting the intensity of traffic containing TCP SYN requests.

    Protection against attacks on network services and Web applications

    There is no universal solution to this problem, but established practice is to implement software vulnerability management processes (identification, installation of patches, etc., for example), as well as the use of intrusion detection and prevention systems (IDS/IPS).

    Protection against authentication bypass attacks

    As in the previous case, there is no universal solution to this problem.
    Usually, in the case of a large number of unsuccessful authorization attempts, accounts are blocked to avoid guessing authentication data (for example, a password). But this approach is quite controversial, and here's why.
    Firstly, the Intruder can carry out the selection of authentication information with an intensity that does not lead to the blocking of accounts (there are cases when the password was selected over several months with an interval between attempts of several tens of minutes).
    Secondly, this feature can be used for denial of service attacks, in which the attacker will deliberately carry out large number authorization attempts in order to block accounts.
    The most effective option against attacks of this class will be the use of IDS/IPS systems, which, when detecting password guessing attempts, will block not the account, but the source from which this guessing occurs (for example, block the IP address of the Intruder).

    The final list of protective measures for this option:

    1. The DMZ is divided into IP subnets with a separate subnet for each node.
    2. IP addresses are assigned manually by administrators. DHCP is not used.
    3. On the network interfaces to which DMZ nodes are connected, MAC and IP filtering, restrictions on the intensity of broadcast traffic and traffic containing TCP SYN requests are activated.
    4. Automatic negotiation of port types is disabled on switches and the use of native VLAN is prohibited.
    5. A TCP SYN Cookie is configured on DMZ nodes and internal network servers to which these nodes connect.
    6. Software vulnerability management is implemented for DMZ nodes (and preferably the rest of the network).
    7. IDS/IPS intrusion detection and prevention systems are being implemented in the DMZ segment.
    Advantages of the option:
    1. High degree of security.
    Disadvantages of the option:
    1. Increased requirements for the functionality of equipment.
    2. Labor costs for implementation and support.
    Analogy to real life
    If we previously compared the DMZ with a client area equipped with sofas and ottomans, then a secure DMZ will be more like an armored cash register.


    valmax.com.ua

    Option 5. Back connect

    The protection measures considered in the previous version were based on the fact that there was a device on the network (switch / router / firewall) capable of implementing them. But in practice, for example, when using a virtual infrastructure (virtual switches often have very limited capabilities), such a device may not exist.

    Under these conditions, many of the previously discussed attacks become available to the Violator, the most dangerous of which will be:

    • attacks that allow you to intercept and modify traffic (ARP Poisoning, CAM table overflow + TCP session hijacking, etc.);
    • attacks related to the exploitation of vulnerabilities in internal network servers to which connections can be initiated from the DMZ (which is possible by bypassing filtering rules DFW due to IP and MAC spoofing).
    The next important feature, which we have not previously considered, but which does not cease to be less important, is that automated workstations (AWS) of users can also be a source (for example, when infected with viruses or Trojans) of harmful effects on servers.

    Thus, we are faced with the task of protecting the servers of the internal network from attacks by the Intruder both from the DMZ and from the internal network (infection of the workstation with a Trojan can be interpreted as actions of the Intruder from the internal network).

    The approach proposed below is aimed at reducing the number of channels through which an Intruder can attack servers, and there are at least two such channels. The first is the rule on DFW, allowing access to the internal network server from the DMZ (even if limited by IP addresses), and the second is an open network port on the server through which connection requests are expected.

    You can close these channels if the internal network server itself builds connections to the server in the DMZ and does this using cryptographically secure network protocols. Then there will be neither an open port nor a rule on DFW.

    But the problem is that ordinary server services do not know how to work in this way, and to implement this approach it is necessary to use network tunneling, implemented, for example, using SSH or VPN, and within the tunnels allow connections from the server in the DMZ to the internal network server .

    The general scheme of operation of this option is as follows:

    1. An SSH/VPN server is installed on the server in the DMZ, and an SSH/VPN client is installed on the server in the internal network.
    2. The internal network server initiates the construction of a network tunnel to the server in the DMZ. The tunnel is built with mutual authentication of the client and server.
    3. The server from the DMZ, within the constructed tunnel, initiates a connection to the server in the internal network, through which the protected data is transmitted.
    4. A local firewall is configured on the internal network server to filter traffic passing through the tunnel.

    Using this option in practice has shown that it is convenient to build network tunnels using OpenVPN, since it has the following important properties:

    • Cross-platform. You can organize communication on servers with different operating systems.
    • Possibility of building tunnels with mutual authentication of client and server.
    • Possibility of using certified cryptography.
    At first glance, it may seem that this scheme is unnecessarily complicated and that since you still need to install a local firewall on the internal network server, it would be easier to make the server from the DMZ, as usual, connect to the internal network server, but do it by encrypted connection. Indeed, this option will solve many problems, but it will not be able to provide the main thing - protection against attacks on internal network server vulnerabilities carried out by bypassing the firewall using IP and MAC spoofing.

    Advantages of the option:

    1. Architectural reduction of the number of attack vectors on the protected internal network server.
    2. Ensuring security in the absence of network traffic filtering.
    3. Protecting data transmitted over the network from unauthorized viewing and modification.
    4. The ability to selectively increase the level of security of services.
    5. The ability to implement a two-circuit protection system, where the first circuit is provided using firewalling, and the second is organized on the basis of this option.
    Disadvantages of the option:
    1. Implementation and maintenance of this protection option requires additional labor costs.
    2. Incompatibility with network intrusion detection and prevention systems (IDS/IPS).
    3. Additional computing load on servers.
    Analogy to real life
    The main meaning of this option is that a trusted person establishes a connection with an untrusted person, which is similar to the situation when, when issuing loans, the Banks themselves call the potential borrower back to check the data.
  • corporate networks
    • Add tags
    Read more: