I think, it’s a marketing buzzword, which unfortunately causes more confusion than benefit. How useful and how usable that is depends on exactly what that setting does. Sometimes it is simply a guest network, as explained above. Some use it to open one port of the integrated switch for all incoming traffic and block it for all other ports. And then I have seen various intermediate forms, sometimes quite adventurous.
In many cases, this function can be put to good use, e.g. to offer publicly accessible services from the home network, or to offer private services (e.g. directory synchronization, backup, photo archive, …) when you are on the road.
If you have any questions about the safe use of Fedora Server in your home network, don’t hesitate to ask (I am a member of the Fedora Server Working Group and am happy to hear from any user).
This is a misnomer. On the internet facing (WAN) side of any router connected to an ISP there is one IP address. On the LAN side there is an entire subnet, and the DMZ is, as you stated, an assigned IP for the DMZ host within that subnet. Most home routers do only allow a single subnet on the LAN side.
Not quite. Port forwarding involves the incoming port from the WAN side and on the LAN side both the IP and PORT to be forwarded to. Thus it still involves using the IP to identify the host the ‘service port’ is being forwarded to, as well as the port on that host to translate the connections for.
For example it is easy to forward a connection to port 80 (http) on the WAN side of the router with its internet IP and redirect it to IP 192.168.11.101 port 8888 on the LAN side. The external host on the internet never sees the IP nor port on the LAN side because of NAT and port forwarding.
Understanding the functioning of a DMZ it is easy to see that a DMZ is somewhat equivalent to a VLAN with a little more security built in. Unfortunately both still are part of a single physical network and it is possible to break through to the actual LAN, though more difficult than NOT using either a VLAN or DMZ.
The real trick for admins is to ensure that the ‘exposed’ host in the DMZ that is allowed incoming connections has no way to actually originate connections to the rest of the LAN but is only allowed incoming connections FROM those hosts.
This is a misunderstanding.
A host in the DMZ is not fullyexposed. An exposed host would be one that is directly connected to an internet IP with no router/firewall/NAT involved. The only protection for an exposed host is its own firewall and the specific services/ports it has open for access.
The DMZ is more like a VLAN that is isolated from the rest of the LAN and can have ports forwarded to it, but hosts there are not fully exposed. The router provides both firewall and NAT protection to the LAN and the DMZ. Hosts in the DMZ still use NAT through the router for all outgoing connections, and can only be reached by incoming connections through the router on specifically configured and forwarded ports.
Another way to look at a DMZ is that it is protected from attack from both the LAN and the internet since all communications to & from it must go through the router.
So can a server in a router’s DMZ connect to devices in the home network or is it entirely isolated? Will it be possible to connect to the server from my personal computer on the local network, or will I have to connect over the Internet?
Yes, as if it were purely on the LAN (which it is) .
I would however configure the firewall on the DMZ host to only allow LAN connections from you main PC on the LAN.
This is subject to how the router manages it and how the DMZ host firewall is configured. Mostly no. The DMZ is intended to isolate that host from other LAN devices for security.
LAN hosts can connect to the DMZ host, but DMZ hosts are not intended to connect to the LAN hosts. Think of it as an actual DMZ. Hosts from outside (both LAN and WAN) can make limited connections to hosts in the DMZ, but hosts from the WAN are prevented from going beyond and into the actual LAN.
The technical concept of a router is that it receives an arbitrary number of different IP addresses and forwards each to the suitable IP subnet connected to any of the other ports. It operates on layer 3 of the OSI model.
It is a specific feature of a “home” network connection that the provider assigns only one IPv4 address. In principle, you can rent several IPv4 addresses from any provider if you pay the corresponding price. And some companies are doing just that.
And a typical “home router” is really not a router at all, because it does not simply route between subnets on an IP basis. Rather, NAT (Network Address Translation) / PAT (Port Address Translation) is involved (this is OSI Layer 4) and the device can deal with only one IP address on the WAN side. It is therefore better to speak of a gateway and thus perhaps avoid some misunderstandings.
And because there is only one IP(v4) Address and nothing. else, there is from the outside there just no DMZ. So you simply can’t use DMZ based security concepts against attacks from the public network. DMZ is simply misleading here.
If you want to have a DMZ on the internal network, the gateway device has to provide at least 2 distinct subnets on the internal side, either by hardware through ports or by vlan. As you stated, a typical home network gateway provides just one internal network. So, there is no DMZ on the internal side either, nor can you use DMZ based security concepts on the internal side.
All these terminological things may seem like splitting hairs. But when the different technical concepts are mixed up, it leads to wrong or unsuitable configurations - see the answer to nonof’s question above.
An “is possible” to both sub-questions, indeed. But communication channels, potential attack vectors and risk weighing and precautions follow different patterns.
@fdr97 This is why in general I don’t recommend using a “home router” if you plan to have a host that is world accessible. At a minimum something that can run a routing/firewall centric distro (PFSense, OPNSense), with a minimum of 3 preferably 4 ports so you can have one for WAN, one for LAN, one for WLAN (Wireless Access Point with vlans), and one for a DMZ (admittedly not a dual firewall DMZ, but it will work for an at home setup). After that it is all about the firewall configuration. Generally speaking I allow nothing to enter the LAN from the DMZ, and only one device is allowed to connect to it from the LAN.
Ultimately it comes down to your risk assessment and what you are comfortable with risking. If you are just stepping into this space, do all the research you can, before you deploy.
In a single router/firewall appliance scenario you are wide open regardless of how you set up your network once the appliance is compromised. It is game over, physically disconnect the incoming ethernet and assess the damage.
Your question was if the router was compromised? Is the host in the DMZ connected to the router? It must be in some fashion. So if the router gets compromised, the bad actor has access to your whole network.
The isolation is not in hardware, but in the firmware. For most gateway devices, you are even able to switch it on or off. If the device is compromised, there is no reliable isolation anymore. In general, you can’t say anything about possible damage, it depends on the details of the compromise.
The DMZ server compromised is a definite risk since it is on the same network, simply isolated by the router config.
It would be greater risk if the router were compromised as asked above since now the original protection is no longer there and the DMZ may be no longer isolated from the LAN.
Any additional tweaks the user makes to add to security is usually a good thing. Security is never a one-and-done thing but consists of layer upon layer of security features, which requires an attacker to penetrate multiple layers before they are able to cause measurable harm.
It has become a long discussion. I think there is no 100% security available. And what’s going on further on your LAN? How many ramsomware is installed by an accidental click on a link in a wrong email? The only way to maximize the protection of your lan is having no server or a virtual private server, which might be offered with Fedora by the way. Directly to the internet in that case. In one post pfsense is mentioned, it is free, runs on BSD and can be easily installed in a Fedora virtual machine, you can learn a lot about managing a firewall going into professional direction, but web managed. And it does not use the term DMZ, you have to configure it yourself by VLAN en firewall.