Most likely, at some point we have accessed the configuration menu of our router to activate or deactivate some of the options that are controlled from there. And it is also quite likely that we have noticed a feature called “DMZ”, which is also sometimes referred to as “Demilitarized Zone”.
Like any curious computer user, the safest thing is that we have tried to enable or modify it, however the parameters that reside there are not clear, we also do not know what this option is for, and even less the problems or advantages that activating it can bring us or disable the DMZ option.
That is why in this post we are going to clarify all the doubts that we may have about the DMZ option of the routers, in order to know in what circumstances we can use it in our favor and what advantages it would offer us to activate it in our network.
What is DMZ?
Basically, the acronym DMZ comes from the English words “Demilitarized Zone”, which in Spanish means “Demilitarized Zone”, which although it refers in our thinking to some kind of hidden military procedure, the truth is that it has little to do with the military.
The acronym DMZ is used in business and IT to call a group of networked computers that form a kind of “safe zone” with fewer access restrictions.
As we know, firewalls allow you to define access rules between two networks. However, in practice, companies generally have multiple subnets with different security policies. This is the reason why it is necessary to install firewall system architectures that allow isolating the different networks of the company: it is then spoken of “sharing the networks”, the term “isolating” being also used in the same sense .
This is the most frequent scenario to use the aforementioned “demilitarized zone”, however this terminology so widely used among IT professionals has been transferred to the home user, who can also take advantage of its advantages, as long as they really know what they are doing. , which we will define later in this post.
In the home or small office environment, the DMZ feature is used to avoid any problem that may arise in the execution or access from the outside to services or applications that are in any of the computers or peripherals that are part of a network implemented under DMZ guidelines.
In this sense, when professionals refer to a DMZ host, they are basically talking about a device on a LAN network in which the router has left all ports free, except those ports that are specifically defined in the NAT table.
Why configure DMZ?
In most cases, the average user uses the benefits of DMZ to improve the performance of applications, especially video games, programs, P2P, web services and other online applications and services that use the network a lot.
Many users, a little more experienced in the field of network security, use DMZ for example to access a NAS server from outside, however, they have the protection of firewalls, to prevent unauthorized access, in addition to the fact that the Services that are not used are not activated. All this aims to prevent unauthorized access that seeks to infiltrate the network to extract any important information that the NAS equipment may have.
In order to configure and fine-tune DMZ , one of the first things that is suggested is that the user implement a fixed IP for the computer that requires the service. If this first step is not carried out, it may happen that when the computer in question is restarted it loses that IP, and ends up assigning it to another computer, with all the security dangers that this problem entails.
The rest of the DMZ configuration is relatively simple, since once we have made sure that we have completed the first step, all that remains is to access the DMZ configuration menu of our router, look for the relevant option and enter the IP address on which we want the firewall to be removed.
Is it advisable to use DMZ?
Although these types of implementations are much more comfortable to carry out, the truth is that they are set up by people with extensive knowledge of network security. The rest of the users better play it safe and continue using the router’s NAT features, redirecting the ports to the IP that is needed when necessary.
The most important and dangerous consequence of leaving all the ports of the router completely open is that any user, simply using an Internet connection, with the necessary tools and knowledge can track vulnerabilities in the services we usually use, such as FTP or SSH.
This means that if we do not know how to use the advantages of DMZ, we continue to use the methods to which we are accustomed, at least until we fully understand the advantages and disadvantages of the “Demilitarized Zone”.
When certain computers on the internal network have to be accessible from the outside, such as a web server, a messaging server, a public FTP server or other services, it is usually necessary to create a new policy for a new network, accessible both from the internal network as well as from the outside, without running the risk of compromising the security of the company.
It is at this point that we speak of the aforementioned “demilitarized zone”, which, as we saw, serves to designate this isolated area that houses applications available to the public. The DMZ serves as an intermediate zone between the network to be protected and the hostile network.
Usually, the servers located in the DMZ are called “bastions ” due to their previous position in the company network.
The security policy applied in the DMZ is normally the following:
- Traffic from the external network to the authorized DMZ
- Traffic from the external network to the internal network prohibited
- Internal network traffic to the authorized DMZ
- Traffic from the internal network to the authorized external network
- Traffic from DMZ to internal network prohibited
- Traffic from the DMZ to the external network rejected
The DMZ has an intermediate level of protection. Its security level is not sufficient to store critical business data. It is necessary to note that it is possible to install a DMZ internally, to share the internal network according to the different levels of protection and thus avoid intrusions that come from inside.
As we can see, setting up DMZ on a computer is simple, what we must pay attention to the most is the security configuration of the router and the rest of the computers that make up the network, to avoid problems that can be very difficult to solve. if we implement DMZ incorrectly.