One thing that I wish that consumer level router and firewall vendors would
change is the naming of their DMZ feature as the term DMZ implies safety, but
typically their implementation of the DMZ is anything but safe.
In a real DMZ configuration you have independent protection on both sides of
the system(s) in the DMZ such that even if the DMZ system were to be compromised
it would still be difficult to attack other systems on the internal LAN as shown
However consumer grade routers and firewalls are lacking both
External and Internal firewalls in their DMZ setup, which means if the
unprotected system in the DMZ were to become compromised then there is nothing
to prevent it from attacking the other systems on the LAN as shown below.
This is what makes use of the so called DMZ feature so dangerous as it could
easily lead to the infection of your entire LAN.
I do wish that consumer grade router and firewall vendors would
create some different name for their DMZ feature which gave a better indication
of the hazards involved in using it.
We recommend rather then using the DMZ functionality you
identify an forward only the required ports to the required system as at least
this minimizes your attack surface. NOTE it is not a perfect solution
however as if that system were to become infected it can still attack other
systems on your LAN.
Page last updated on
November 26, 2006