Re: DMZ Question

Tech-Archive recommends: Fix windows errors by optimizing your registry

On Thu, 25 Aug 2005 17:35:12 -0400, Lem <lemp40@xxxxxxxxxxx> wrote:

>Chuck wrote:
>
>> On Thu, 25 Aug 2005 15:22:31 -0400, Lem <*email_address_deleted*> wrote:
>>
>> >If a PC is in a router's "DMZ," and thus has a public IP address, can
>> >any of its resources (printers and files) be shared by computers on the
>> >LAN? And as a corrolary, if computers on the LAN can share those
>> >resources, can those resources be protected from use by anyone anywhere?
>>
>> Lem,
>>
>> If a computer is in the same subnet as the other computers, then it can share
>> resources with the other computers. DMZ or no.
>>
>> The DMZ simply makes the IP ports on the DMZ computer(s) available to the
>> Internet as a whole. Including file and printer sharing, if there's not a
>> properly setup firewall on the computer(s) in the DMZ.
>>
>> I don't think that this is a Windows XP topic, though, so maybe it would be
>> better asked in Comp.Security.Firewalls, or in Microsoft.Public.Security. Might
>> be more experience there.
>>
>> BTW, Lem, posting your email address openly will get you more unwanted email,
>> than wanted email. Learn to munge your email address properly, to keep yourself
>> a bit safer when posting to open forums. Protect yourself and the rest of the
>> internet - read this article.
>> <http://nitecruzr.blogspot.com/2005/05/how-to-post-on-usenet-and-encourage.html#Munging>

>You're right, this is not really a Windows question, although it's based on a system running
>WinXP. I understand that putting a computer in a router's DMZ exposes its ports to the
>Internet. In the system I was looking at, the router accomplished this exposure by assigning
>the DMZ computer a public IP address (64.252.xxx.xxx). Thus, according to your explanation,
>there could be no resource sharing with the LAN PCs, which have IP address in one of the
>ranges reserved for private addresses (172.16.xxx.xxx), and thus are on a different subnet.
>Perhaps there are some routers that implement DMZ by assigning a private IP address and then
>just forwarding ports. I'll check in Comp.Security.Firewalls.
>
>The beauty of hotmail addresses is that they're disposable. I check the address on this
>post just often enough to keep hotmail from disabling the accout -- I don't care what goes
>there. On the other hand, it's a real address, which sometimes is necessary to use.

With a true DMZ, on an Enterprise LAN, there would be a physically separate
network segment, with a router connecting that subnet directly to the office LAN
(but with both networks protected by the corporate firewall). That's the
purpose of a DMZ, to isolate itself from a vulnerable office network, yet
protect itself.

I've yet to figure out what the protection of a NAT router DMZ is. As I
understand it, a NAT DMZ consists of a single computer, exposed to the world,
and directly accessible by the other computers. If your router actually creates
a separate subnet, that sounds like a true DMZ. What make and model router is
that? Does it have a rule set that restricts traffic between itself and the LAN
in general?

And thanks for acknowledging your public exposure of your Hotmail account - it's
good that you understand the risks. Unfortunately, you're causing a risk to the
Internet, as the clueless will see you posting your address and follow your
example. And the clueless are those most vulnerable to trojans and worms, and
will contribute one more bot to the world botnet population. This will mean
still more spam for everybody, as if there isn't already too much.

--
Cheers,
Chuck, MS-MVP [Windows - Networking]
http://nitecruzr.blogspot.com/
Paranoia is not a problem, when it's a normal response from experience.
My email is AT DOT
actual address pchuck mvps org.
.

Relevant Pages

  • Re: Is software firewall nessasery if hardware is available?
    ... I had a suspicion that you were running a workstation instead of a server. ... between the DMZ and the LAN, and your non-public computers sit in the LAN ...
    (microsoft.public.windowsxp.security_admin)
  • Re: DMZ Question
    ... >any of its resources (printers and files) be shared by computers on the ... if computers on the LAN can share those ... >resources, can those resources be protected from use by anyone anywhere? ... DMZ or no. ...
    (microsoft.public.windowsxp.network_web)
  • Re: DMZ Question
    ... You're right, this is not really a Windows question, although it's based on a system running ... I understand that putting a computer in a router's DMZ exposes its ports to the ... if computers on the LAN can share those ... >>resources, can those resources be protected from use by anyone anywhere? ...
    (microsoft.public.windowsxp.network_web)
  • Re: VLANs & DMZs
    ... >want at least some access to computers on a dmz from the lan network based ... >computers in the dmz. ... >>I understand that it is considered a less than 'best practice' to use a few ... DMZs are connected to the LAN by constructs (referred to as DMZ ...
    (comp.security.firewalls)
  • Re: Is software firewall nessasery if hardware is available?
    ... router that is low price but good for my situation as a starter. ... > LAN and the other the DMZ - typically there is none or little connection ... > between the DMZ and the LAN, and your non-public computers sit in the LAN ...
    (microsoft.public.windowsxp.security_admin)