1-888-77-Kerio
Home » Categories » Kerio Control » Traffic rules
Icon Printer Icon Email      Icon Twitter Icon Digg Icon Stumbleupon Icon de.icio.us Icon FaceBook

Configuring Demilitarized Zone (DMZ)

Demilitarized Zone (DMZ)

Demilitarized zone (DMZ) is a special segment of the local network reserved for servers accessible from the Internet. It is not allowed to access the local network from this segment — if a server in the DMZ is attacked, it is impossible for the attacker to reach other servers and computers located in the local network.

Configuring DMZ

As an example we will suppose rules for a web server located in the DMZ. The demilitarized zone is connected to the DMZ interface included in group Other Interfaces. The DMZ uses subnet 192.168.2.x, the web server's IP address is 192.168.2.2.

Now you will add the following rules:

  • Make the web server accessible from the Internet — mapping HTTP service on the server in the DMZ,

  • Allow access from the DMZ to the Internet via NAT (IP address translation) — necessary for correct functionality of the mapped service,

  • Allo access from the LAN to the DMZ — this makes the web server accessible to local users,

  • Disable access from the DMZ to the LAN — protection against network intrusions from the DMZ. This is globally solved by a default rule blocking any other traffic (here we have added the blocking rule for better understanding).

Traffic rules for the DMZ

Traffic rules for the DMZ

Hint

To make multiple servers accessible in the DMZ, it is possible to use multiple public IP addresses on the firewall's Internet interface — so called multihoming.


comments powered by Disqus