Re: DMZ Question


Allow All Applications (DMZplus)DMZplus is a special firewall mode that is used for hosting
applications if you are stillnot able to get an application to operate properly using the "Allow
individual application(s)" option.When in DMZplus mode, the designated computer: "Shares"
your Router Address (system's IP address). Appears as if it is directly connected to the
Internet. Has all of the unassigned TCP and UDP ports opened and pointed to it. Can
receive unsolicited network traffic from the internetNOTE: Although the DMZplus computer appears
to Internet users as though it is directly connected to the Internet, it is still protected by
your system firewall. Alltraffic is inspected by the firewall's Stateful Packet Inspection
engine and all knownhacker attacks continue to be blocked.Since all filtered traffic is forwarded
to the designated computer, DMZplus modeshould be used with caution. In most situations, you can
use the "Allow individualapplication(s)" option to support access from the Internet to
applications on yournetwork. DMZplus can only be configured for one computer on your home
network ata time.The Firewall Settings page allows you to enable DMZplus and select which
computerwill run in DMZplus mode.

Chuck wrote:

> On Thu, 25 Aug 2005 17:35:12 -0400, Lem <lemp40@xxxxxxxxxxx> wrote:
>
> >Chuck wrote:
> >
> >> On Thu, 25 Aug 2005 15:22:31 -0400, Lem <*email_address_deleted*> wrote:
> >>
> >> >If a PC is in a router's "DMZ," and thus has a public IP address, can
> >> >any of its resources (printers and files) be shared by computers on the
> >> >LAN? And as a corrolary, if computers on the LAN can share those
> >> >resources, can those resources be protected from use by anyone anywhere?
> >>
> >> Lem,
> >>
> >> If a computer is in the same subnet as the other computers, then it can share
> >> resources with the other computers. DMZ or no.
> >>
> >> The DMZ simply makes the IP ports on the DMZ computer(s) available to the
> >> Internet as a whole. Including file and printer sharing, if there's not a
> >> properly setup firewall on the computer(s) in the DMZ.
> >>
> >> I don't think that this is a Windows XP topic, though, so maybe it would be
> >> better asked in Comp.Security.Firewalls, or in Microsoft.Public.Security. Might
> >> be more experience there.
> >>
> >> BTW, Lem, posting your email address openly will get you more unwanted email,
> >> than wanted email. Learn to munge your email address properly, to keep yourself
> >> a bit safer when posting to open forums. Protect yourself and the rest of the
> >> internet - read this article.
> >> <http://nitecruzr.blogspot.com/2005/05/how-to-post-on-usenet-and-encourage.html#Munging>
>
> >You're right, this is not really a Windows question, although it's based on a system running
> >WinXP. I understand that putting a computer in a router's DMZ exposes its ports to the
> >Internet. In the system I was looking at, the router accomplished this exposure by assigning
> >the DMZ computer a public IP address (64.252.xxx.xxx). Thus, according to your explanation,
> >there could be no resource sharing with the LAN PCs, which have IP address in one of the
> >ranges reserved for private addresses (172.16.xxx.xxx), and thus are on a different subnet.
> >Perhaps there are some routers that implement DMZ by assigning a private IP address and then
> >just forwarding ports. I'll check in Comp.Security.Firewalls.
> >
> >The beauty of hotmail addresses is that they're disposable. I check the address on this
> >post just often enough to keep hotmail from disabling the accout -- I don't care what goes
> >there. On the other hand, it's a real address, which sometimes is necessary to use.
>
> With a true DMZ, on an Enterprise LAN, there would be a physically separate
> network segment, with a router connecting that subnet directly to the office LAN
> (but with both networks protected by the corporate firewall). That's the
> purpose of a DMZ, to isolate itself from a vulnerable office network, yet
> protect itself.
>
> I've yet to figure out what the protection of a NAT router DMZ is. As I
> understand it, a NAT DMZ consists of a single computer, exposed to the world,
> and directly accessible by the other computers. If your router actually creates
> a separate subnet, that sounds like a true DMZ. What make and model router is
> that? Does it have a rule set that restricts traffic between itself and the LAN
> in general?
>
> And thanks for acknowledging your public exposure of your Hotmail account - it's
> good that you understand the risks. Unfortunately, you're causing a risk to the
> Internet, as the clueless will see you posting your address and follow your
> example. And the clueless are those most vulnerable to trojans and worms, and
> will contribute one more bot to the world botnet population. This will mean
> still more spam for everybody, as if there isn't already too much.
>
> --
> Cheers,
> Chuck, MS-MVP [Windows - Networking]
> http://nitecruzr.blogspot.com/
> Paranoia is not a problem, when it's a normal response from experience.
> My email is AT DOT
> actual address pchuck mvps org.

For what it's worth, the router in question is a 2Wire HomePortal 1000s. It's a friend's and I
have no idea why his network is configured the way it is, other than he apprently had great
difficulty in getting things to work and relied on advice from his ISP's tech support. In my
experience, ISP tech support often supplies "solutions" that make life easier for the ISP without
regard for any problems they may cause the individual user, e.g., the univeral solution of
"re-format and re-install Windows."

According to 2Wire, their implementation of DMZ, which they call "DMZPLUS", still protects the
exposed computer with stateful packet inspection. See: http://tinyurl.com/8w7ut

To munge or not to munge. That is the question. Suffice it to say that there are differences in
opinion on this issue, and many posters to the microsoft.public newsgroups, including MS-MVPs,
post using valid email addresses. [Interestingly enough, I get far more spam at my "real"
address than at the hotmail address I use to post here. I suspect it's because some of the
"legitimate" e-tailers whose sites I vist and purchase from sell their customer lists. I wonder
if anyone's actually done a _recent_ study to determine if the spammers and malware propagators
continue to use address-harvesting bots or if they find it far easier just to buy a CD with tens
of thousands of known-good email addresses.]




--
p

.

Relevant Pages

  • Re: 3 LAN, 2 WAN - 2 LAN use 1 WAN, last LAN uses other WAN
    ... Internet over different paths after that. ... With a single LAN Router for all the segments, ... Then each "business" uses the Firewall they are supposed to use for the ...
    (microsoft.public.windows.server.networking)
  • Re: AdAware, SpyBot S &D, etc. + leave PC connected to Internet
    ... >It will be a while I get the router and do that. ... >> labelling on the box to be sure it has firewall features. ... name, like Disconnect from Internet, and click Finish. ... generally talking only about "critical patches" that affect security. ...
    (comp.security.firewalls)
  • Re: Networking problems with router between 2 p.c.s
    ... >> router for internet access. ... >> disable the internet connection firewall in the LAN ... isn't suitable for use on a local area network. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Is this a wise configuration?
    ... A have a single DSL connection to the internet at my house. ... connection goes through a router, ... With this many "test" servers running, however, there are many ... Generally referred to as "DMZ" when you search for firewall info ...
    (comp.os.linux.networking)
  • Re: Forest Trust between Production & DMZ
    ... >> more vulnerable, external, then we are speaking of the trust ... If your DMZ gets whacked, ... To avoid the Swiss-cheese affect on the firewall, ... > Network segregation was a good thing at times when Internet Protocol was ...
    (microsoft.public.windows.server.security)
Loading