52
the router, you can expose one computer to the Internet and run the application on
that computer.
When a LAN host is configured as a DMZ host, it becomes the destination for all
incoming packets that do not match some other incoming session or rule. If any other
ingress rule is in place, that will be used instead of sending packets to the DMZ host;
so, an active session, virtual server, active port trigger, or port forwarding rule will
take priority over sending a packet to the DMZ host. (The DMZ policy resembles a
default port forwarding rule that forwards every port that is not specifically sent
anywhere else.)
The router provides only limited firewall protection for the DMZ host. The router does
not forward a TCP packet that does not match an active DMZ session, unless it is a
connection establishment packet (SYN). Except for this limited protection, the DMZ
host is effectively "outside the firewall". Anyone considering using a DMZ host should
also consider running a firewall on that DMZ host system to provide additional
protection.
Packets received by the DMZ host have their IP addresses translated from the
WAN-side IP address of the router to the LAN-side IP address of the DMZ host.
However, port numbers are not translated; so applications on the DMZ host can
depend on specific port numbers.
The DMZ capability is just one of several means for allowing incoming requests that
might appear unsolicited to the NAT. In general, the DMZ host should be used only if
there are no other alternatives, because it is much more exposed to cyber attacks
than any other system on the LAN. Thought should be given to using other
configurations instead: a virtual server, a port forwarding rule, or a port trigger. Virtual
servers open one port for incoming sessions bound for a specific application (and
also allow port redirection and the use of ALGs). Port forwarding is rather like a
selective DMZ, where incoming traffic targeted at one or more ports is forwarded to a
specific LAN host (thereby not exposing as many ports as a DMZ host). Port
triggering is a special form of port forwarding, which is activated by outgoing traffic,
and for which ports are only forwarded while the trigger is active.
Few applications truly require the use of the DMZ host. Following are examples of
when a DMZ host might be required:
•
A host needs to support several applications that might use overlapping
ingress ports such that two port forwarding rules cannot be used because
they would potentially be in conflict.
•
To handle incoming connections that use a protocol other than ICMP, TCP,
UDP, and IGMP (also GRE and ESP, when these protocols are enabled by
the PPTP and IPSec ALGs ).
Enable DMZ
Putting a computer in the DMZ may expose that computer to a
variety of security risks. Use of this option is only recommended as
a last resort.