It was time to replace my home firewall. This website is hosted on a server at home. Proper procedures dictate that it sits on a network segment apart from the other computers in the house. This (as most people reading this know) would be a DMZ or DeMilitarized Zone.
In the illustration, you see that the Webserver sits outside the castle, there’s a moat between the castle and the bad guys (the DMZ) and that there’s still a guard gate protecting access to the webserver.
There were other criteria in the replacement: low power, no moving parts. Further, in a toaster solution, where there’s a USB port that can print, offer up multimedia, backups, and whatnot, just how wise is it to have your personal data sitting on the EXACT SAME piece of hardware that is keeping the baddies out? Because it’s not like they ever have problems.
So I grabbed a Linksys wifi/router/toaster at Costco and wandered home.
Your DMZ (if you have nothing to lose)
The DMZ feature allows one network user to be exposed to the Internet for use of a special-purpose service such as Internet gaming or videoconferencing. DMZ hosting forwards all the ports at the same time to one PC. The Port Range Forwarding feature is more secure because it only opens the ports you want to have opened, while DMZ hosting opens all the ports of one computer, exposing the computer to the Internet.
Hold the phone. One network user….exposed to the Internet. That’s no protection! Further, step four in the Hacker’s handbook, after Reconnaissance, Exploiting, Ensuring Continued Access, is see what other assets are out there.
In this illustration, there is no moat, there is no guard gate, and just a rope (and a prayer) keeping the baddies away.
So, when my slightly out of date WordPress installation is popped, the next thing the kiddie is gonna do is: install Nmap, look at the local network, then actively rape the home fileserver.
If I’m lucky. If I’m not, he’ll also use up all my toner, and finish Halo: Reach for me.
“Well!” Says I, “No big deal, I chose my firewall/Router/Basestation/Toaster because it’s WELL supported in the OpenSource community!”
Only the open source community treats it the same way. Pick an IP address to throw to the wolves. (and hope your server hardening skillz are up to snuff)
Port Forwarding is no Protection
The reason for this is simple…the router ALREADY has a facility to redirect specific ports to specific IP addresses, it’s easy for them to place a rule at the bottom of the list that says “and send everything else to the Sacrificial Lamb at IP address 192.168.1.12. They get to CALL it something fancy, a DMZ, but in reality, it’s just an extra line in the NAT table. But if someone gets to your server, through NAT…they’re still INSIDE your network! The correct solution would be to have a seperate port on the firewall, dedicated to another subnet, in much the same way that your firewall has one WAN port, and four LAN ports…one of the aftermarket replacement firmwares should optionally let you take port 4, place a machine on it in a different subnet, then route accordingly. They don’t because it adds a whole ‘nother level of complexity to their network stack, and could confuse the luser, raising helpdesk costs. Which is bad. Best to just let them FEEL like they’re protected. True DMZ functionality is provided by $300 routers (like this and this, but not this, unless you cough up more money for a better license. ) and home built solutions using a PC and better software (like this and this), but the first option is expensive, and the second option is a powerhog.
A 15 year old solution to, apparently, a modern day problem.
Once upon a time, hardware was expensive. It was conceivable that your hot new firewall had _two_ network ports on it. A guzzinta and a guzzouta. Soon thereafter, they hit upon the idea of separating your public facing servers from your internal data. You’d create a bastion host, throw the low-severity stuff on there, and only grant access to that. Then along came the DMZ…using two (expensive) firewalls. You’d have an outside firewall, and an inside firewall, and the bastion host (typically serving web, ftp, mail, irc, usenet news, and gopher!) would sit between them. (Eventually, they just put additional interfaces on your firewall, saving you the expense of a second one)
Luckily, I had a spare firewall laying about with a old, slow, 802.11b wireless, it became my outside firewall (with the added benefit of giving me a true Guest Access wireless basestation), and the new firewall was added to one it it’s LAN ports. Adding that second firewall, for a real DMZ, can be as cheap as $20. Plus, it lets you have more than one device out in the DMZ….throw your Webserver, Xbox360, Wii, Nintendo DS (with uber WEP encryption) on the outside network, keeping your new hot firewall with WPA2, Hard Disk Backup, and Print services safe and secure behind it. But opening up NO ports on the inside firewall, it’s invisible to the webserver, if it’s been compromised. If they somehow manage to put a network listener on your webserver, it’s conceivable they might hear some traffic to let them know there’s another network device on the network, but it becomes near impossible to crack it from the DMZ.
