cancel
Showing results for 
Search instead for 
Did you mean: 

DMZ

krodgers
Grafter
Posts: 85
Registered: 11-09-2007

DMZ

Here goes for another coconut question:-

I'd like to "play" with FTP, telnet and web-servers.
(ADSL, DSL-504, and 4 P.C.s)
I want to play around on just one PC, which will have nothng of importance on it (I don't care if it's hacked!), but I want to keep the rest of the network secure.

My concept is that I need to put one of the P.C.s in a DMZ?
After that, I'm lost!
What does this mean?
What IP address do I give this Server?
Can I do it with my single fixed IP?
Does it simply get one of the 192.etc addresses, and have the ports redirected to it, or is there more to it than that?
Is there an idiots guide anywhere?

Please remember you are talking to an ignoramus:-)

Ken Rodgers
8 REPLIES
Community Veteran
Posts: 6,111
Thanks: 1
Registered: 05-04-2007

DMZ

Ok, here goes... Wink

Putting a PC into DMZ mode basically means that data sent to it won't be subject to any "Network Address Translation" - basically, that thing called NAT won't do anything for that computer. NAT, as far as you're comcerned, is just something that organises data sent through your router to the various computers. Having NAT on helps block nasty data (hacking attempts etc.) but it can also cause problems for certain applications (FTP server etc.), that need a direct path to the internet (the data doesn't want any of that network address translating stuff happening on its path to freedom!). So what you can do is put one computer into DMZ mode. All you need to do is give it a private IP (make one up if you want), and it should work.

Thomas
Community Veteran
Posts: 6,983
Thanks: 8
Registered: 10-04-2007

DMZ

Just one thing to beware of here.

Using the 4 port router (same model here) you have the ability to run a network so that you can share files between the PC's on the network.
make sure that the PC you make DMZ is NOT available to the others on this network and that the others are NOT available to it.

Also make sure that you have Anti virus Software on ALL the PC's

I fell foul of this and my sons friend managed to get a virus on one of my PC's.
This virus was one of those that can spread over a network. Before I new what was happening I had over 2000 files infected.
I only realised something was odd when Norton on my main PC kept coming up with files infected.
In the end all the PC's had to be reformated and installed from scratch. Cry
Community Veteran
Posts: 14,469
Registered: 30-07-2007

DMZ

Now things are starting to get tricky to explain to an 'ignoramus' in a short post Wink There are many different ways to do what you want, some secure some not...

DMZ stands for de-militarized zone. It is basically a network that lives between the public internet (that your router is connected to) and you private network (your 192.168.x.x addresses).

There are 2 methods, the first does not involve a DMZ setup but is not secure, the second requires additional hardware to act as a firewall between the internet and your private network and your DMZ so may be beyong your scope. There are many many pitfalls if you don't understand the config or setup meaning all your systems could be compromised:

1st option: not secure

You can use a designated PC on your private network (e.g. 192.168.0.2) for web and ftp services if you have the necessary software to do it (This will involve running a web server and ftp server on that PC). To get this working you use what is called port forwarding on the router. This means if anyone tried to connect on port 80 (web http) on your routers public IP address (the one assigned by plusnet), the router would forward that request to a pre-configured local IP address (192.168.0.2) which would be running the web server and can serve the web page requested.

The same can be done for FTP where port 21 is port forwared to a local IP address.

The security problem is because the web/ftp server is on your local network so if that were hacked into then the hacker could have full access to your other PCs.

2nd option: secure

This method does use a DMZ, is secure but requires additional equipment to act as a firewall between the DMZ and your local network - there are several ways to set this up and too many to go into here.

This is one method - note your router will be between the firewall and the internet bubble:



Another method (which I can't find a diagram for) using the same equipment as above but the private network is connected directly to the ADSL router, the firewall is also connected to the ADSL router and the web/ftp server is connected to the firewall via another network card.


So the first option should be easy to setup but is not secure, the 2nd is more difficult to setup but is secure.

I know I've completely confused you now . :roll:

Cheers

Peter Cool
krodgers
Grafter
Posts: 85
Registered: 11-09-2007

DMZ

Hmmm...thanks for all that, you guys - you must despair at times:-)

Going back to my DSL-504, what I'm not understanding is this:-

Under NAT, I can enable or disable NAT.
Presumably I keep it enabled.
However (also under NAT in the menu), I can set the IP of a DMZ computer.

What happens when I set this DMZ?
Should it be set to another public IP address (which I would need from Plusnet?), or is it a private IP address which I allocate to that computer?
If it's in the Private group, I don't see how The Outside World "knows" which computer to access.
Conversely, if it's a Private IP, I don't see how that's any different from just redirecting the appropriate ports to that particular network machine, i.e. what the DMZ bit is doing?

You see what I mean about being a coconut?:-)

Ken Rodgers
N/A

DMZ

NAT is enabled on your router, by placing your pc in the
DMZ zone, the effect is similar to disabling Nat on the one pc,
ie, you lose most of the firewall features.
Usually all incoming traffic is discarded by the router,
unless its a response from one of your pc's or something you've
set up with port forwarding eg, you need to open ports to enable
certain online games to function.Some of these games or video
conferencing etc, have difficulties with NAT.
By setting up a pc as a DMZ server, all incoming traffic is
forwarded to the pc, the effect is similar to running a pc with a
modem.
I don't know about the D Link, but with the Netgear, in the WAN set up
page there is an option to set up a DMZ server by just inputing its
Local IP address.
As stated previously just ensure you have a good antivirus running on
the DMZ server as well as the other pc's and dont share files with it.
krodgers
Grafter
Posts: 85
Registered: 11-09-2007

DMZ

Ahhh- many thanks Aleca.
I think that a light is coming on now, and what everybody else is telling me becomes a little clearer!

Now that you mention on-line games, the penny starts to fall. I play bridge on the 'net, and one particular feature of the client program that I use is that one can "serve" (=start and administer) a table with it. If one serves a table (as opposed to joining somebody else's), one becomes a mini-server on the Internet. To do this (on a network) one must forward a specific port to the PC which is being used. Obviously, this is to enable other players to join it, in that the PC needs to be able to react to (accept) "unsolicited" packages from the other players trying to join. Presumably, these packages (requests from the outside world) would otherwise be rejected by the NAT?

What you now seem to be telling me is that I can still forward a port to a specific PC in this manner, but that unsolicited packages for any ports NOT forwarded will be directed to the DMZ PC?
Thus, that DMZ PC is "on its own", as far as NAT protection is concerned, receiving any unsolicited packages, and therefore vulnerable. As you phrase it, "As though it were on a modem" - and presumably with all ports open?
The IP address of the DMZ PC doesn't matter - it can be one of my private group, and fixed?

The only other problem seems to be that I must ensure that the DMZ PC can't communicate with the others, see their shared files, etc?
How do I do this? Can I just not let it belong to my workgroup?

Appreciate the good anti-virus comments. I have Norton Internet Security on the rest - OK?

Sorry this is going on so, but I'm sure that you guys will appreciate that you are probably not doing all this just for me - no doubt many other relative novices are reading this, and surely are every bit as grateful to you as I am:-)

Kind regards
Ken Rodgers
Community Veteran
Posts: 6,983
Thanks: 8
Registered: 10-04-2007

DMZ

Quote
Can I just not let it belong to my workgroup?


Yes that would probably be enough to prevent it talking to the other PC's if it did catch a nasty.
N/A

DMZ

And the answer to the rest is yes ,
you appear to have got it all figured out Ken.
Regards,
Alec.