Looking to setup a DMZ for the first time

Renzore101

Renzore101

Member
Hello again CF,

I am considering trying to configure a home DMZ for the first time. I have never attempted to do this before. If anyone has any useful links or information I would appreciate it. At this point I am under the assumption that I am to buy two routers and implement a hardware firewall. I will make note that currently I do not have a full understanding of what will be necessary to deploy an effective DMZ. I do not have any servers at the moment, in the future I may want to implement a file server. What do I need exactly to monitor my DMZ?
 
What are you going to place in your DMZ?

Most consumer-grade equipment uses the DMZ 'feature' as a 'port forward all' instead of an actual DMZ. Was mainly curious what you were trying to accomplish here.
 
beers said:
What are you going to place in your DMZ?

Most consumer-grade equipment uses the DMZ 'feature' as a 'port forward all' instead of an actual DMZ. Was mainly curious what you were trying to accomplish here.
Click to expand...

I was planning on putting a firewall and, to my understanding, a second router to monitor for threats to my home network. Again, my understanding of these concepts are very limited thus far in my IT career, so if you have any advice on some type of home based efficient solution i'm all ears. I need a thorough understanding of how something like this would be deployed.
 
Usually a company uses a DMZ in order to have their hosted services segregated from the rest of the network. Do you have any Internet based services that you are trying to host?

In a corporate environment on the firewall you would do something like define a DMZ zone that has a lesser security level than your inside/LAN zone. Then you would need to define what traffic needs to originate back to the internal LAN via an access-list as all other traffic would be implicitly denied. Connectivity outbound from Inside to DMZ is allowed without specific ACL as you're initiating the session from a more secure zone to a lesser secure zone.

If you wanted to monitor threats for your WAN edge you are probably looking for more of a UTM (unified threat management) type of deployment. There are a few open-source ones that aren't bad such as Snort, that also includes some IPS (intrusion prevention) technology which can drop malicious traffic before it makes it to the destination.
 
I would have a look at untangle. https://www.untangle.com/

You can monitor everything with SNTP and a program to monitor the SNTP traffic from the router. I use a simple solution called Wallwatcher, but you might want to find something better.
 
Agent Smith said:
I would have a look at untangle. https://www.untangle.com/

You can monitor everything with SNTP and a program to monitor the SNTP traffic from the router. I use a simple solution called Wallwatcher, but you might want to find something better.
Click to expand...


I just took a look at that firewall that you linked. I have yet to download it but based off reading the site description I get the impression that it is deployed by a dedicated machine?
 
Renzore101 said:
I just took a look at that firewall that you linked. I have yet to download it but based off reading the site description I get the impression that it is deployed by a dedicated machine?
Click to expand...

Basically. You can use a server or VM, either of which that has 2 NICs. You'd essentially use it either as your wan edge device or inline from the wan edge in front of your LAN.

SNTP SNTP
Click to expand...

I assume you mean SNMP? ;) SNTP is a lightweight NTP protocol.
 
beers said:
Basically. You can use a server or VM, either of which that has 2 NICs. You'd essentially use it either as your wan edge device or inline from the wan edge in front of your LAN.



I assume you mean SNMP? ;) SNTP is a lightweight NTP protocol.
Click to expand...

Beers, sorry I did not respond to your message, I read it a few days ago and forgot to respond. Also, please understand that I am a noob/IT student still learning every day, therefore please excuse if I have seemingly stupid questions. I have an idea in which I may be able to implement this firewall on my home network, as I have some spare PC parts sitting around for a 2nd build that I could relatively quickly deploy for this purpose. Essentially I would need 2 NICs? So I would need to install a 2nd NIC card into the mobo in this new build?

EDIT: What exactly do you mean by "WAN edge device?" some type of solution similar in function to the DMZ?
 
Last edited:
Renzore101 said:
Also, please understand that I am a noob/IT student still learning every day, therefore please excuse if I have seemingly stupid questions.

EDIT: What exactly do you mean by "WAN edge device?" some type of solution similar in function to the DMZ?
Click to expand...

You're fine :D

For Untangle it complains at you if you have less than two NICs (which is irritating since you could easily do a 'router on a stick' type of deployment). You can make it your Internet router or you can simply have it in-line between your router and your internal PCs, it's really your call. It'd probably be easier to use it as your Internet router though as most people aren't familiar with having separate addressing for interconnects.

I made a quick paint drawing for the WAN edge. Basically it's the border of your network and the Internet or other WAN network. This would be the device that has your external/public IP address and translates traffic into your LAN.

RcfMgKs.png
 
beers said:
You're fine :D

For Untangle it complains at you if you have less than two NICs (which is irritating since you could easily do a 'router on a stick' type of deployment). You can make it your Internet router or you can simply have it in-line between your router and your internal PCs, it's really your call. It'd probably be easier to use it as your Internet router though as most people aren't familiar with having separate addressing for interconnects.

I made a quick paint drawing for the WAN edge. Basically it's the border of your network and the Internet or other WAN network. This would be the device that has your external/public IP address and translates traffic into your LAN.

RcfMgKs.png
Click to expand...

I was assuming you were going to include this paint drawing? I am a visual person! :D
 
Essentially I am just trying to determine how exactly I would deploy this. If I get a mobo with 2 NICs and install the program, I then run the cable from my home router to the PC with Untangle installed, then the 2nd NIC port runs to another switch that then connects to the rest of my devices?
 
It can be used in that manner. I would read the Untangle Wiki and their forum. Read, read, read! Don't dive into something with little knowledge.
 
beers said:
You're fine :D

For Untangle it complains at you if you have less than two NICs (which is irritating since you could easily do a 'router on a stick' type of deployment). You can make it your Internet router or you can simply have it in-line between your router and your internal PCs, it's really your call. It'd probably be easier to use it as your Internet router though as most people aren't familiar with having separate addressing for interconnects.

I made a quick paint drawing for the WAN edge. Basically it's the border of your network and the Internet or other WAN network. This would be the device that has your external/public IP address and translates traffic into your LAN.

RcfMgKs.png
Click to expand...

I apologize for the erroneous post earlier pertaining to your WAN edge drawing, I think the corporate proxy at work was blocking it for me. Just so I have a complete understanding the WAN edge is essentially sectioning off my network into two segments. Public/Private, and the DMZ would be considered the public side of the network, correct? In addition to that, I read online that it is of best practice to purchase a seperate modem and router. Therefore obviously the modem would reside within the public IP side of the WAN edge, but the WAN edge would still exist within the router.

EDIT: Or is the portion of the network contained within the WAN Edge itself considered the DMZ?
 
Last edited:
beers said:
You're fine :D

For Untangle it complains at you if you have less than two NICs (which is irritating since you could easily do a 'router on a stick' type of deployment). You can make it your Internet router or you can simply have it in-line between your router and your internal PCs, it's really your call. It'd probably be easier to use it as your Internet router though as most people aren't familiar with having separate addressing for interconnects.
Click to expand...

I have edited your paint diagram to include my interpretation of how I would deploy something on my personal network, let me know if I am on the right track.

QZ4fvEH.png
 
hi mate,
whatever you do assume that you DONT run firewall on ur dmz box, then configure all the internal network to use mac tables to whatever internal server/routers u have
why? 2 of my different 'modems' that were responsible for placing pc into dmz mode failed. Forwarded all the traffic, and at the same time my iptables were down couse i was trying to do something. within 5 minutes somebody was inside my samba server! this happened twice to me. So set all the access with mac tables (even printers) or if u can release certs...

have fun!!!
 
You must log in or register to reply here.
Back
Top