What is the difference between DMZ and LAN?

kejianshi

Ummmmm…  Night and day?

DMZ is all exposed to the net and LAN is usually not exposed at all.

Derelict

https://en.wikipedia.org/wiki/DMZ_%28computing%29

P3R

@FroToast:

I've seen this term DMZ before and I've done a bit of savaging online and found out that, DMZ is a separate sub net from your Local area network that has all ports open and is vulnerable to attack from the internet.

I'd say that normally (there may be special cases) only stupid or very lazy people have a DMZ deliberatly wide open.

Just like with every other network, a DMZ should only be as open as is required for the necessary services to run. The definition of a DMZ to me is that it contain the server(s) exposed to the outside world and therefore need to have at least some service(s) open.

Also with outbound rules, I'd say that it makes much sense to have very restrictive rules on a DMZ.

FroToast

So, my guess as to what a DMZ was correct. However, what I dont understand why the Poster of this Thread indicated his Second interface to be a DMZ. He has setup his firewall rules to be based on the ones in the LAN. Whats the difference here?
https://forum.pfsense.org/index.php?topic=95324.0

I'm assuming PFsense automatically setups the LAN in the way that it would block and allow the appropriate ports. <– By default upon first setup and installation.

P3R

@FroToast:

However, what I dont understand why the Poster of this Thread indicated his Second interface to be a DMZ. He has setup his firewall rules to be based on the ones in the LAN. Whats the difference here?

I couldn't bother to read the thread carefully (it's detailed and to me uninteresting) but as far as I can tell from a glance he copied the LAN default allow rule, so no restrictions whatsoever on outgoing traffic. The big difference with the DMZ is that in addition to not having any outbound rules, one host is also wide open from the outside. So yes it's a very unsafe DMZ.

The rest of the thread discusses that he should have used UPnP instead. I don't like UPnP either but if it is absolutely necessary for the application, UPnP on a DMZ is much, much better than what he did.

I'm assuming PFsense automatically setups the LAN in the way that it would block and allow the appropriate ports. <– By default upon first setup and installation.

The LAN by default allows everything going out. It's a default setting that could be questioned but I guess the thinking is that the default should be the same as on all home routers, to lower the learning threshold for those moving up from that simple environment. Its' very easy for all those that have a clue about security to remove the default allow rule and thereby get the recommended default deny. Of course traffic initiated from the outside (WAN interface rules) is by default denied.

But defaults are only that, something to start your own configuration from. It's not what you use.

Derelict

There is also confusion about the term DMZ.

Consumer router manufacturers use DMZ to mean the inside IP address to which all unsolicited traffic into WAN is forwarded.

That is completely different from what an actual firewalled DMZ network segment is.

Guest

What is the difference between DMZ and LAN?

Often administrators get in a trap because they have servers that must have contacts to the Internet
but by opening port they will be unsecured their entire LAN, that is then reachable from the Internet
and to work around this case, they let the LAN side untouched and create a so called DMZ where they
can place their Servers in and opening ports and forwarding them to this servers that they can work
like they were made for. There are three main versions of a DMZ and many many hundred or perhaps
thousands of subversions.

• Exposed host = pseudo DMZ
• Real & dirty DMZ = One device with an dedicated or hardware realized DMZ Port
• Real & clean DMZ = Two devices (Border & LAN firewall) and between them is the so called DMZ

I've seen this term DMZ before and I've done a bit of savaging online and found out that, DMZ is a separate sub net from your Local area network

It is the subnet with all devices inside that have a directly or indirect contact to the Internet
what can harm the entire LAN and to separate this devices and the security point from the LAN
mostly a DMZ is a real good choice or for an administrator.

that has all ports open and is vulnerable to attack from the internet. Correct me if I'm wrong : )

You will be mostly wrong with this statement for sure! In some rarely cases it would be good to have all ports
opened if you run a "honey pod" or you test out some things for a longer time in a lab.

Creating a DMZ is much easy, but to defend and secure this DMZ then with all servers inside is the real
goal for admin guys as I see it right. So I even want to set up an DMZ to place some devices inisde that must
be reached from the outside or through the Internet, likes NAS, iTV, gaming console, Internet radio, ect…..
so no Ports most be opened but all devices can be easily reached via VPN and their are not disturbing the
entire LAN traffic or causing there some issues. So with no opened ports at the WAN interface a home
user is not in the situation to secure or defend his DMZ against somebody.

P3R

@Derelict:

Consumer router manufacturers use DMZ to mean the inside IP address to which all unsolicited traffic into WAN is forwarded.

Yes unfortunately that marketing lie is what most people think is a DMZ. That's probably also the reason so many think a DMZ must/should be wide open…

AndroBourne

I'd have to agree with some other here. A DMZ is simply a fully open zone that allows all inbound traffic to a said subnet.

It differs from a normal subnet because a normal subnet would be firewall protected and only allows inbound traffic via rule sets. However a DMZ simply says "fuck it I'm lazy" and allows all inbound traffic to said subnet and devices in the subnet.

The only two reasons I would ever recommend using a DMZ is for troubleshooting, such as NAT issues with the Playstation. Playstation could be placed on a DMZ to get full NAT, troubleshoot which ports are used etc…

Or for a honey pot. Which is basically just a device you set out to the open world to allow attackers to attempt to hit it to record their information and report them or for penetration testing reasons etc...

Other then that. I'd never recommend using a DMZ. Instead use a firewall protected subnet and make rule exceptions as needed to that subnet.

jahonix

@AndroBourne:

A DMZ is simply a fully open zone that allows all inbound traffic to a said subnet.

Just not correct.

But that was discussed two years ago so it's probably not really useful to revive this old thread.

AndroBourne

@jahonix:

@AndroBourne:

A DMZ is simply a fully open zone that allows all inbound traffic to a said subnet.

Just not correct.

But that was discussed two years ago so it's probably not really useful to revive this old thread.

I'm a network engineer. I do this type of stuff for a living.

Every firewall vendor defines a DMZ differently. Watchguard for example, is simply another isolated subnet, however, still secured by firewall and not completely open to the internet. A Sonicwall is a totally different story. It is as I described. An isolated open subnet that allows all inbound traffic to said host.

In either way its defined. A DMZ is a lazy mans method. You are better off creating a secondary secure subnet\interface and controlling the traffic properly with port triggering\forwarding.

Also there is nothing wrong with reviving an old thread if it is still relevant. There is actually no reason in restarting a thread on the same topic if it has already been covered… it is also on top of searches within pfsense forums and still an open thread.

Just for your knowledge...

https://www.draytek.com/en/faq/faq-connectivity/connectivity.lan/whats-the-difference-between-dmz-host-and-dmz-subnet/

"Setting up a DMZ host will open a single host completely to the WAN, and all packets will be forwarded to this single host"

and then follows exceptions. Such as set port forwarding rules or policies etc…

Guest

In the former days, pending on many different network layouts or constructions or plain based on many different needs,
late in the 70th and earlier 80th, at SANS USA were defined to have three main types of demilitarized zones (DMZs) and
one separation of one of them. And until theses days "we" will all able to speak about the same thing if we are saying
we have this or that one of DMZ. That makes things much easier and we don´t talk about something on the right site
and all peoples or listeners are looking to left site! So is why I am talking about that in this direction, others may have
also other opinions and knowledge on this and for sure I don´t want to bother with them, but that's how I know it right.

DMZ 1 - A real DMZ (Dual homed or bastion host)
Two routers or firewalls behind each other (router cascade)

DMZ 2 - "Pseudo DMZ"
It is an "exposed host" that lets all traffic unfiltered through

DMZ 3 (a) - Unreal DMZ (One device with a DMZ Port)
One firewall or router with a dedicated port that homes the DMZ subnet, ports can be opened and protocols can be forwarded

DMZ 3 (b) - Unreal DMZ (One device with a own and dedicated hardware DMZ port)
The same as variant (a) but the DMZ port is not connected to the internal switch chip or CPU as the other ports

There will be for sure hundred till thousand  other available constructs and possible ways to march, but they can all and even
pointed to one of that three main types of DMZs. So that we are all talking about the same thing!

If I set up a unreal DMZ, I don´t must open all ports and allow all protocols, I need only to open and forward what the servers
inside of the DMZ are offering as a service, nothing more. And this can be inspected by DPI or usually here in that case with an
IDS/IPS system. Also a proxy can be between the servers and the internet that no one has directly contact to that servers to play
with.

A DMZ is a lazy mans method.

And now the master question here, about what kind of DMZ you are talking here in that case?

You are better off creating a secondary secure subnet\interface and controlling the traffic properly with port triggering\forwarding.

If you someone is demanding a bigger security requirement then others perhaps have a firewall with a dedicated DMZ port is the
base line he should walk on.