Re: Port Scanning onWAN IP of Speedtouch 530
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: Port Scanning onWAN IP of Speedtouch 530

From: <rick@bcm.tmc.edu>
Date: Mon Mar 20 2006 - 17:05:13 CET




Duane Arnold wrote:


> The purpose of the DMZ is to take a single IP/machine behind the NAT


> router and completely expose the computer/its ports to the public


> Internet. That means all ports 65,535 TCP and 65,535 UDP ports are


> exposed to the public Internet opening all the inbound ports for that


> computer to the public Internet, instead of using port forwarding to


> selectively open inbound ports.


>



No....the purpose of a DMZ is to create a security zone that can exist


to be more


open than the internal network. You would place hosts into the DMZ that


you would


expose to the internet. You would then have rules in place that define


the traffic that


can pass from those hosts to your internal network. You should never


open a host to


all ports but only those ports that it needs to have open. The goal of


the DMZ zone is


to provide some protection to the internal LAN when the host in the DMZ


is compromised


People still need to follow the same methdology in deciding what ports


need to be opened. This is a decision that depends on the requirements


of the user.



> Sometimes, there is a need to just stick the whole computer into the DMZ


> so that it can be accessed by the public. But that would be done by


> someone that knew what he or she was doing to protect the O/S and other


> software running on the computer that was being put into the DMZ. You


> can use Google to further understand why a computer would be setting in


> the DMZ of any FW solution. But I suggest that you not do it or not use


> the DMZ. You should keep your computer out of the DMZ at all costs, if


> you ever get a solution that has a DMZ.


> >



If you have only one computer it does not matter, the exposure is the


same. A DMZ only


makes sense if you have more than one computer and you have a


requirement to open


one of those systems to the internet for selected types of access.



Please bear in mind that this applies to a solution that allows full


configuration of the firewall device and the ability to define a


coherent policy for all zones.


Received on Mon May  1 01:00:08 2006