adam's notes

Home Router Screened Subnet

  • When making a server accessible on the Internet, careful thought needs to be given to the security of the local network
  • If the server target of a port-forwarding rule is compromised,
    • there is the possibility that other LAN hosts can be attacked from it
    • or that the attacker could examine traffic passing over the LAN

A screened subnet is a segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports.

  • aka demilitarized zone (DMZ)
  • some hosts are placed in a separate network segment with a different IP subnet address range than the rest of the LAN
  • This configuration uses either two firewalls or a firewall that can route between at least three interfaces
  • Separate rules and filters apply to traffic:
    • between the screened subnet and the Internet
    • between the Internet and the LAN
    • and between the LAN and the screened subnet

  • Most home routers come with only basic firewall functionality
    • screens the local network rather than establishing a screened subnet
  • many home router vendors use the term DMZ
    • On a home router, a “DMZ” or “DMZ host” configuration refers to a computer on the LAN that is configured to receive communications for any ports that have not been forwarded to other hosts
    • means “not protected by the firewall” as the host is fully accessible to other Internet hosts

DMZ host is a home router implementation of DMZ where all ports with no existing forwarding rules are opened and directed to a single LAN host.

Graph View

Backlinks