Clan x86
Technical (Development, Security, etc.) => General Security Information => Topic started by: RoMi on April 17, 2005, 10:25:05 am
-
Hey I got a new router with an SPI firewall the other day and it has an option to enable DMZ. I was wondering what DMZ is, I know it stands for demilitarized zone, but thats about it. I put my Xbox on the port and turned on DMZ and it seems to login a few seconds faster. Is it just like a port that doesn't get monitored by the SPI firewall or something?
-
It's a "DMZ Host", not just "DMZ".
In a standard network, the setup is like this:
[internet]
[firewall]
[DMZ]
[firewall]
[internal network]
The DMZ is where things like web servers go.
That's a corporate thing, though. In your situation, what that means is that it's forwarding all ports to the DMZ Host. I don't recommend setting anything to a DMZ Host unless you trust the computer 100%. For example, I'd never ever set a Windows computer to DMZ Host.
I don't think you'll get any speed increase, though. Maybe that was a coincidence?
-
Thanks for the info iago! I've run a few tests with the xbox on and off of DMZ Host port and it still seems to log on faster.
-
This website is running off Darkside (or Pie, I've forgotten in the confusion of the switch), which is made possible via iago's DMZ. Mostly valuable if you're running a webserver on your network, although dangerous, it does get you fully functional and somewhat safe (assuming you're not using Windows).
-
It's dangerous in that people can connect to you on any port. Of course, I only have the ports I want open.
Right now, actually, the DMZ Host is Pie. My router is doing:
Port 80 --> Darkside
Port 443 --> Darkside
Port 2401 --> Darkside (todo: get rid of)
Port 8001 --> Darkside
Port 5000-6000 --> Slayer
Everything else --> Pie
-
I do actually run a webserver/jbls server, which I just use port forwarding for, maybe it would be a good idea to put it up on DMZ?? BTW its a slackware box in bash screen only.
-
I do actually run a webserver/jbls server, which I just use port forwarding for, maybe it would be a good idea to put it up on DMZ?? BTW its a slackware box in bash screen only.
If you're going to do that, make sure there is nothing else running. By default, Slackware starts up some unnecessary services (like sendmail and others). If they're open, you should disable them.
-
Just one more question if its set up on DMZ that means that all ports are forwarded to that computer right? And that port-forwarding only works for the other devices. Say you wanted a CS server on one computer that isn't set as DMZ, you would use port-forwarding to do this right? Now say that it is set up on the DMZ host port, does that mean that you would not have to use port forwarding, since all the ports if not specified are already forwared to the DMZ host?
-
If you have a DMZ host anf forwarded ports, the forwarded ports take precidence.
-
Never fall back onto DMZ unless you absolutely have to. I've heard some funny stories in my network security class with DMZ's and a windows box.
-
Haha, I did that once without thinking. I needed to get something on unpatched Windows with BitTorrent (I was getting Linux, so there wasn't much point in updating Windows). I set it to DMZ stupidly, just to use bittorrent, and was instantly infected. Duh :)
-
(assuming you're not using Windows).
It can still be safe if you aren't a complete moron and you are on Windows.
My friend runs XP Home (unpatched) on DMZ and he hasn't had a virus ever. Nor has he been infected.
-
(assuming you're not using Windows).
It can still be safe if you aren't a complete moron and you are on Windows.
My friend runs XP Home (unpatched) on DMZ and he hasn't had a virus ever. Nor has he been infected.
Unless he has a firewall, people can get a ton of information about him and his computer through a Null Session (http://www.softheap.com/security/session-access.html). There's also a lot of stuff open, listening for connections, which is never secure. Having stuff running (listening) that you don't know what it does is never a good idea.
-
Unless he has a firewall, people can get a ton of information about him and his computer through a Null Session (http://www.softheap.com/security/session-access.html). There's also a lot of stuff open, listening for connections, which is never secure. Having stuff running (listening) that you don't know what it does is never a good idea.
They can get the file names of files in the root directories of my hard disk partitions. Beyond that, I have file permissions set. Root files have read-only access to Everyone.
When I reformat, I turn off DMZ to my machine until I get it patched. Running SP1a or SP2, I've never had a problem. I don't even run Windows firewall.
-
I use windows and have never had a virus, trojan, etc... On my computer. I have never been "infiltrated" either. I check regularily. Take that as you will.
Edit: Spelling.
-
Unless he has a firewall, people can get a ton of information about him and his computer through a Null Session (http://www.softheap.com/security/session-access.html). There's also a lot of stuff open, listening for connections, which is never secure. Having stuff running (listening) that you don't know what it does is never a good idea.
They can get the file names of files in the root directories of my hard disk partitions. Beyond that, I have file permissions set. Root files have read-only access to Everyone.
When I reformat, I turn off DMZ to my machine until I get it patched. Running SP1a or SP2, I've never had a problem. I don't even run Windows firewall.
On a sidenote, make sure the newest patches are applied. There's exploit code out for another SMB vulnerability which can explode if somebody creates a worm from it.