Topic: DMZ with SME. Secure?

[cydonia]

I have done a bit of searching, but found nothing definitive.

I have just bought a new modem which supports DMZ, and am thinking about just putting my SME server into Server Only mode, and using DMZ from the modem to open it up to the net.

I use my server mainly for the following;

- File Server
- Private Web Server
- Public Web Server
- VoIP


Would this pose a major security threat to use DMZ like that?  I would prefer not to have to bring another device into the equation in the form of a firewall between the modem and the server, but if it has to be done, it has to be done...


Thanks.
Tristan

[Boris]

Verify what DMZ is in the modem (I assume DSL router-gateway with some firewall features) definition is. Most residential routers call DMZ as "host where ALL the packets go, unless forwarded otherwise".
It is not secure.
If you can close ALL the traffic to DMZ and then open different ports from LAN and from Internet, then its worth looking into.

[mbachmann]

DMZ is often confused with "exposed host". A DMZ is usually seperated from the internet through a packet filter and from the LAN through a second packet filter.

internet - packet filter - DMZ - packet filter - Lan.

I think the SME firewall/packetfilter is much better than some Router firewall. So what's the real purpose of putting the SME in a DMZ?

[cydonia]

Well, DMZ was the recommendation of the a guy in the computer shop.

But, it ended up being easier to just keep the server as server-gateway, and put the modem into bridge mode.

DMZ would have just been another thing i had to worry about when configuring external access for VoIP, HTTP etc...

Thanks for the advice anyway:)

[MSmith]

Because "Server Only" is designed to be used WITHIN a LAN.  If your "DMZ" is truly "exposed host" you will have the entire Internet as your LAN and all SME's protections will be for naught.

[ryan]

I use DMZ on IPCop and connect my SME external nic to this DMZ.  I do this for sites that have only a single public internet IP available.  Check out www.ipcop.org.  This is secure as IPcop will only pass ports you open to a specific IP address on the DMZ.  With this setup, your LAN has 2 internet gateways, the SME and IPCOP LAN addresses.  Make sure you don't have both running dhcp!!!!

ryan

[Boris]

IPCop is a "real" firewall and it defines DMZ as "Protected but partialy available from Internet network, separate from the Internal LAN"
Residential router-firewall-gateways is very different and DMZ has an opposite meaning for most of them.

[lajgaard]

I am moving to a new location and are thinking of changing my setup.

At the moment my SME act as server-gateway and is connected directly to the internet on the WAN nic. while handling my local network on the LAN nic.

In the new setup I am adding a voip adapter, that needs to get priority over all other traffic. I am also thinking about adding wireless capabilities to the setup. That gives me a few problems, which you might be able to help me with.

The best solution for the voip adapter and wireless lan is to buy a wireless router with QoS capabilities like the Linksys WRT54G. But That leaves a problem with my server. I have heard that a having a dhcp server within a dhcp server might not be a good idea.

On the other hand it would be a bad idea to have a wireless AP within the server because of the security risk.

Can any of you see a solution to this setup problem?

/Carsten

[ryan]

IPCop 1.4.1 has traffic priority for voip or other traffic you define.  It also has a 'blue' wireless zone which is another 'green' lan.  There are four zones:  red (internet), organge (DMZ), green (LAN), blue (WiFi LAN).

If your researching, look at monowall firewall as well.  

ryan

[lajgaard]

Thank you for your replay Ryan. I have looked on your suggestions and are impressed by the diversity these distrobutions offer. However I don't think IPCop can satisfy my needs on QoS since it is restricted to port numbers. Monowall is much more prommesing and I will keep a close look on it development.

Bu maybe I should post a suggestion for adding the functionaleties to SME. Support for an ekstra NIC and QoS would improve the functionaleties of the distro and update it to more resent demands. I am sure I am not the only one adding wireless lan and Voip to my network at home.