DMZ Question

[Lem]

If a PC is in a router's "DMZ," and thus has a public IP address, can
any of its resources (printers and files) be shared by computers on the
LAN? And as a corrolary, if computers on the LAN can share those
resources, can those resources be protected from use by anyone anywhere?

 

[Chuck]

If a PC is in a router's "DMZ," and thus has a public IP address, can
any of its resources (printers and files) be shared by computers on the
LAN? And as a corrolary, if computers on the LAN can share those
resources, can those resources be protected from use by anyone anywhere?

Lem,

If a computer is in the same subnet as the other computers, then it can share
resources with the other computers. DMZ or no.

The DMZ simply makes the IP ports on the DMZ computer(s) available to the
Internet as a whole. Including file and printer sharing, if there's not a
properly setup firewall on the computer(s) in the DMZ.

I don't think that this is a Windows XP topic, though, so maybe it would be
better asked in Comp.Security.Firewalls, or in Microsoft.Public.Security. Might
be more experience there.

BTW, Lem, posting your email address openly will get you more unwanted email,
than wanted email. Learn to munge your email address properly, to keep yourself
a bit safer when posting to open forums. Protect yourself and the rest of the
internet - read this article.
<http://nitecruzr.blogspot.com/2005/05/how-to-post-on-usenet-and-encourage.html#Munging>

 

[Richard G. Harper]

Putting a computer in the DMZ on your router exposes that computer to the
Internet fully. It would be as if you plugged the computer directly into
your incoming cable or DSL modem. The only break you might get would be if
your modem includes port blocking on known-hostile ports as some newer ones
do. Many ISPs block the common networking ports (File and Printer Sharing,
mail server, FTP server, etc) so what you could do with your computer inside
the DMZ might well be limited.

Anything that your computer can see or touch on your home network would also
be vulnerable to attack since an intruder could use the computer in the DMZ
to launch attacks inside the firewall.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Lem]

You're right, this is not really a Windows question, although it's based on a system running
WinXP. I understand that putting a computer in a router's DMZ exposes its ports to the
Internet. In the system I was looking at, the router accomplished this exposure by assigning
the DMZ computer a public IP address (64.252.xxx.xxx). Thus, according to your explanation,
there could be no resource sharing with the LAN PCs, which have IP address in one of the
ranges reserved for private addresses (172.16.xxx.xxx), and thus are on a different subnet.
Perhaps there are some routers that implement DMZ by assigning a private IP address and then
just forwarding ports. I'll check in Comp.Security.Firewalls.

The beauty of hotmail addresses is that they're disposable. I check the address on this
post just often enough to keep hotmail from disabling the accout -- I don't care what goes
there. On the other hand, it's a real address, which sometimes is necessary to use.

 

[Chuck]

You're right, this is not really a Windows question, although it's based on a system running
WinXP. I understand that putting a computer in a router's DMZ exposes its ports to the
Internet. In the system I was looking at, the router accomplished this exposure by assigning
the DMZ computer a public IP address (64.252.xxx.xxx). Thus, according to your explanation,
there could be no resource sharing with the LAN PCs, which have IP address in one of the
ranges reserved for private addresses (172.16.xxx.xxx), and thus are on a different subnet.
Perhaps there are some routers that implement DMZ by assigning a private IP address and then
just forwarding ports. I'll check in Comp.Security.Firewalls.

The beauty of hotmail addresses is that they're disposable. I check the address on this
post just often enough to keep hotmail from disabling the accout -- I don't care what goes
there. On the other hand, it's a real address, which sometimes is necessary to use.

With a true DMZ, on an Enterprise LAN, there would be a physically separate
network segment, with a router connecting that subnet directly to the office LAN
(but with both networks protected by the corporate firewall). That's the
purpose of a DMZ, to isolate itself from a vulnerable office network, yet
protect itself.

I've yet to figure out what the protection of a NAT router DMZ is. As I
understand it, a NAT DMZ consists of a single computer, exposed to the world,
and directly accessible by the other computers. If your router actually creates
a separate subnet, that sounds like a true DMZ. What make and model router is
that? Does it have a rule set that restricts traffic between itself and the LAN
in general?

And thanks for acknowledging your public exposure of your Hotmail account - it's
good that you understand the risks. Unfortunately, you're causing a risk to the
Internet, as the clueless will see you posting your address and follow your
example. And the clueless are those most vulnerable to trojans and worms, and
will contribute one more bot to the world botnet population. This will mean
still more spam for everybody, as if there isn't already too much.

 

[Richard G. Harper]

The only way I could see that this would be safe with a home-grade router
that also provides access-point isolation - and even then I'd take that with
a large grain of salt. The home routers I've seen don't really put a
computer into a DMZ so much as create a special NAT/firewall rule that
completely opens that address to incoming connections. The computer in the
DMZ can still see and use network resources and be seen and used by other
computers on the network.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Lem]

Allow All Applications (DMZplus)DMZplus is a special firewall mode that is used for hosting
applications if you are stillnot able to get an application to operate properly using the "Allow
individual application(s)" option.When in DMZplus mode, the designated computer: "Shares"
your Router Address (system's IP address). Appears as if it is directly connected to the
Internet. Has all of the unassigned TCP and UDP ports opened and pointed to it. Can
receive unsolicited network traffic from the internetNOTE: Although the DMZplus computer appears
to Internet users as though it is directly connected to the Internet, it is still protected by
your system firewall. Alltraffic is inspected by the firewall's Stateful Packet Inspection
engine and all knownhacker attacks continue to be blocked.Since all filtered traffic is forwarded
to the designated computer, DMZplus modeshould be used with caution. In most situations, you can
use the "Allow individualapplication(s)" option to support access from the Internet to
applications on yournetwork. DMZplus can only be configured for one computer on your home
network ata time.The Firewall Settings page allows you to enable DMZplus and select which
computerwill run in DMZplus mode.

With a true DMZ, on an Enterprise LAN, there would be a physically separate
network segment, with a router connecting that subnet directly to the office LAN
(but with both networks protected by the corporate firewall). That's the
purpose of a DMZ, to isolate itself from a vulnerable office network, yet
protect itself.

I've yet to figure out what the protection of a NAT router DMZ is. As I
understand it, a NAT DMZ consists of a single computer, exposed to the world,
and directly accessible by the other computers. If your router actually creates
a separate subnet, that sounds like a true DMZ. What make and model router is
that? Does it have a rule set that restricts traffic between itself and the LAN
in general?

And thanks for acknowledging your public exposure of your Hotmail account - it's
good that you understand the risks. Unfortunately, you're causing a risk to the
Internet, as the clueless will see you posting your address and follow your
example. And the clueless are those most vulnerable to trojans and worms, and
will contribute one more bot to the world botnet population. This will mean
still more spam for everybody, as if there isn't already too much.

For what it's worth, the router in question is a 2Wire HomePortal 1000s. It's a friend's and I
have no idea why his network is configured the way it is, other than he apprently had great
difficulty in getting things to work and relied on advice from his ISP's tech support. In my
experience, ISP tech support often supplies "solutions" that make life easier for the ISP without
regard for any problems they may cause the individual user, e.g., the univeral solution of
"re-format and re-install Windows."

According to 2Wire, their implementation of DMZ, which they call "DMZPLUS", still protects the
exposed computer with stateful packet inspection. See: http://tinyurl.com/8w7ut

To munge or not to munge. That is the question. Suffice it to say that there are differences in
opinion on this issue, and many posters to the microsoft.public newsgroups, including MS-MVPs,
post using valid email addresses. [Interestingly enough, I get far more spam at my "real"
address than at the hotmail address I use to post here. I suspect it's because some of the
"legitimate" e-tailers whose sites I vist and purchase from sell their customer lists. I wonder
if anyone's actually done a _recent_ study to determine if the spammers and malware propagators
continue to use address-harvesting bots or if they find it far easier just to buy a CD with tens
of thousands of known-good email addresses.]

 

[Chuck]

For what it's worth, the router in question is a 2Wire HomePortal 1000s. It's a friend's and I
have no idea why his network is configured the way it is, other than he apprently had great
difficulty in getting things to work and relied on advice from his ISP's tech support. In my
experience, ISP tech support often supplies "solutions" that make life easier for the ISP without
regard for any problems they may cause the individual user, e.g., the univeral solution of
"re-format and re-install Windows."

According to 2Wire, their implementation of DMZ, which they call "DMZPLUS", still protects the
exposed computer with stateful packet inspection. See: http://tinyurl.com/8w7ut

To munge or not to munge. That is the question. Suffice it to say that there are differences in
opinion on this issue, and many posters to the microsoft.public newsgroups, including MS-MVPs,
post using valid email addresses. [Interestingly enough, I get far more spam at my "real"
address than at the hotmail address I use to post here. I suspect it's because some of the
"legitimate" e-tailers whose sites I vist and purchase from sell their customer lists. I wonder
if anyone's actually done a _recent_ study to determine if the spammers and malware propagators
continue to use address-harvesting bots or if they find it far easier just to buy a CD with tens
of thousands of known-good email addresses.]

Allow All Applications (DMZplus)DMZplus is a special firewall mode that is used for hosting
applications if you are stillnot able to get an application to operate properly using the "Allow
individual application(s)" option.When in DMZplus mode, the designated computer: "Shares"
your Router Address (system's IP address). Appears as if it is directly connected to the
Internet. Has all of the unassigned TCP and UDP ports opened and pointed to it. Can
receive unsolicited network traffic from the internetNOTE: Although the DMZplus computer appears
to Internet users as though it is directly connected to the Internet, it is still protected by
your system firewall. Alltraffic is inspected by the firewall's Stateful Packet Inspection
engine and all knownhacker attacks continue to be blocked.Since all filtered traffic is forwarded
to the designated computer, DMZplus modeshould be used with caution. In most situations, you can
use the "Allow individualapplication(s)" option to support access from the Internet to
applications on yournetwork. DMZplus can only be configured for one computer on your home
network ata time.The Firewall Settings page allows you to enable DMZplus and select which
computerwill run in DMZplus mode.

Thanks for those details. The DMZ is behind an SPI filter (probably not a full
firewall no matter what 2Wire calls it) (is it ICSA certified?), but is still
directly accessible to the other computers in the LAN. Or is it? Is the DMZ
host physically on a separate subnet (64.252.xxx.xxx) or the main LAN
(172.16.xxx.xxx)? What does "ipconfig /all" on the DMZ host show?
<https://www.icsalabs.com/icsa/main.php?pid=gddfg>

You're dead on about ISP Tech Support. That's one of the functions of these
forums - to fill in the gap between typical first line tech support, and
reality. Maybe you and I can save your friend from trouble, if we work to
understand this.

 

[Lem]

For what it's worth, the router in question is a 2Wire HomePortal 1000s. It's a friend's and I
have no idea why his network is configured the way it is, other than he apprently had great
difficulty in getting things to work and relied on advice from his ISP's tech support. In my
experience, ISP tech support often supplies "solutions" that make life easier for the ISP without
regard for any problems they may cause the individual user, e.g., the univeral solution of
"re-format and re-install Windows."

According to 2Wire, their implementation of DMZ, which they call "DMZPLUS", still protects the
exposed computer with stateful packet inspection. See: http://tinyurl.com/8w7ut

To munge or not to munge. That is the question. Suffice it to say that there are differences in
opinion on this issue, and many posters to the microsoft.public newsgroups, including MS-MVPs,
post using valid email addresses. [Interestingly enough, I get far more spam at my "real"
address than at the hotmail address I use to post here. I suspect it's because some of the
"legitimate" e-tailers whose sites I vist and purchase from sell their customer lists. I wonder
if anyone's actually done a _recent_ study to determine if the spammers and malware propagators
continue to use address-harvesting bots or if they find it far easier just to buy a CD with tens
of thousands of known-good email addresses.]

Allow All Applications (DMZplus)DMZplus is a special firewall mode that is used for hosting
applications if you are stillnot able to get an application to operate properly using the "Allow
individual application(s)" option.When in DMZplus mode, the designated computer: "Shares"
your Router Address (system's IP address). Appears as if it is directly connected to the
Internet. Has all of the unassigned TCP and UDP ports opened and pointed to it. Can
receive unsolicited network traffic from the internetNOTE: Although the DMZplus computer appears
to Internet users as though it is directly connected to the Internet, it is still protected by
your system firewall. Alltraffic is inspected by the firewall's Stateful Packet Inspection
engine and all knownhacker attacks continue to be blocked.Since all filtered traffic is forwarded
to the designated computer, DMZplus modeshould be used with caution. In most situations, you can
use the "Allow individualapplication(s)" option to support access from the Internet to
applications on yournetwork. DMZplus can only be configured for one computer on your home
network ata time.The Firewall Settings page allows you to enable DMZplus and select which
computerwill run in DMZplus mode.

Thanks for those details. The DMZ is behind an SPI filter (probably not a full
firewall no matter what 2Wire calls it) (is it ICSA certified?), but is still
directly accessible to the other computers in the LAN. Or is it? Is the DMZ
host physically on a separate subnet (64.252.xxx.xxx) or the main LAN
(172.16.xxx.xxx)? What does "ipconfig /all" on the DMZ host show?
<https://www.icsalabs.com/icsa/main.php?pid=gddfg>

You're dead on about ISP Tech Support. That's one of the functions of these
forums - to fill in the gap between typical first line tech support, and
reality. Maybe you and I can save your friend from trouble, if we work to
understand this.

Sorry for the stuff at the top of my last post. I had initially thought to cut/paste it, but when I
saw the formatting I put in the link instead -- but apparently I had already pasted it.

As to your question:

Is the DMZ host physically on a separate subnet (64.252.xxx.xxx) or the main LAN (172.16.xxx.xxx)? What does "ipconfig /all" on the DMZ host show?

I don't know. I only looked at his network briefly, over the laptop. ipconfig /all on the laptop
gave its address as 172.16.1.34. It also revealed the IP of the HomePortal, i.e., the Gateway and
DHCP server, as 172.16.0.1. I was able to browse to the HomePortal and view a non-password-protected
status page that showed IP addresses for the devices connected to the HomePortal, including one
computer indicated as being in the DMZplus zone with an IP of 64.252.xxx.xxx as well as a DI-624
hooked up as a wireless AP (presumably with its DHCP server turned off, although without its admin p/w
I couldn't confirm).

The problem I started out looking to help with was that the wireless connection drops frequently, so I
was checking to ensure that SSID broadcast was not disabled (it was not) and that 802.1x
authentication was turned off (it was). While I was poking around, I noticed his peculiar network
configuration. Debugging network problems doesn't mix well with dinner-time visits. Perhaps I'll be
able to investigate further over the weekend.

 

[Chuck]

Chuck wrote:

On Thu, 25 Aug 2005 17:35:12 -0400, Lem <*email_address_deleted*> wrote:

Chuck wrote:

On Thu, 25 Aug 2005 15:22:31 -0400, Lem <*email_address_deleted*> wrote:

If a PC is in a router's "DMZ," and thus has a public IP address, can
any of its resources (printers and files) be shared by computers on the
LAN? And as a corrolary, if computers on the LAN can share those
resources, can those resources be protected from use by anyone anywhere?

Lem,

If a computer is in the same subnet as the other computers, then it can share
resources with the other computers. DMZ or no.

The DMZ simply makes the IP ports on the DMZ computer(s) available to the
Internet as a whole. Including file and printer sharing, if there's not a
properly setup firewall on the computer(s) in the DMZ.

I don't think that this is a Windows XP topic, though, so maybe it would be
better asked in Comp.Security.Firewalls, or in Microsoft.Public.Security. Might
be more experience there.

BTW, Lem, posting your email address openly will get you more unwanted email,
than wanted email. Learn to munge your email address properly, to keep yourself
a bit safer when posting to open forums. Protect yourself and the rest of the
internet - read this article.
<http://nitecruzr.blogspot.com/2005/05/how-to-post-on-usenet-and-encourage.html#Munging>

You're right, this is not really a Windows question, although it's based on a system running
WinXP. I understand that putting a computer in a router's DMZ exposes its ports to the
Internet. In the system I was looking at, the router accomplished this exposure by assigning
the DMZ computer a public IP address (64.252.xxx.xxx). Thus, according to your explanation,
there could be no resource sharing with the LAN PCs, which have IP address in one of the
ranges reserved for private addresses (172.16.xxx.xxx), and thus are on a different subnet.
Perhaps there are some routers that implement DMZ by assigning a private IP address and then
just forwarding ports. I'll check in Comp.Security.Firewalls.

The beauty of hotmail addresses is that they're disposable. I check the address on this
post just often enough to keep hotmail from disabling the accout -- I don't care what goes
there. On the other hand, it's a real address, which sometimes is necessary to use.

With a true DMZ, on an Enterprise LAN, there would be a physically separate
network segment, with a router connecting that subnet directly to the office LAN
(but with both networks protected by the corporate firewall). That's the
purpose of a DMZ, to isolate itself from a vulnerable office network, yet
protect itself.

I've yet to figure out what the protection of a NAT router DMZ is. As I
understand it, a NAT DMZ consists of a single computer, exposed to the world,
and directly accessible by the other computers. If your router actually creates
a separate subnet, that sounds like a true DMZ. What make and model router is
that? Does it have a rule set that restricts traffic between itself and the LAN
in general?

And thanks for acknowledging your public exposure of your Hotmail account - it's
good that you understand the risks. Unfortunately, you're causing a risk to the
Internet, as the clueless will see you posting your address and follow your
example. And the clueless are those most vulnerable to trojans and worms, and
will contribute one more bot to the world botnet population. This will mean
still more spam for everybody, as if there isn't already too much.

For what it's worth, the router in question is a 2Wire HomePortal 1000s. It's a friend's and I
have no idea why his network is configured the way it is, other than he apprently had great
difficulty in getting things to work and relied on advice from his ISP's tech support. In my
experience, ISP tech support often supplies "solutions" that make life easier for the ISP without
regard for any problems they may cause the individual user, e.g., the univeral solution of
"re-format and re-install Windows."

According to 2Wire, their implementation of DMZ, which they call "DMZPLUS", still protects the
exposed computer with stateful packet inspection. See: http://tinyurl.com/8w7ut

To munge or not to munge. That is the question. Suffice it to say that there are differences in
opinion on this issue, and many posters to the microsoft.public newsgroups, including MS-MVPs,
post using valid email addresses. [Interestingly enough, I get far more spam at my "real"
address than at the hotmail address I use to post here. I suspect it's because some of the
"legitimate" e-tailers whose sites I vist and purchase from sell their customer lists. I wonder
if anyone's actually done a _recent_ study to determine if the spammers and malware propagators
continue to use address-harvesting bots or if they find it far easier just to buy a CD with tens
of thousands of known-good email addresses.]

Allow All Applications (DMZplus)DMZplus is a special firewall mode that is used for hosting
applications if you are stillnot able to get an application to operate properly using the "Allow
individual application(s)" option.When in DMZplus mode, the designated computer: "Shares"
your Router Address (system's IP address). Appears as if it is directly connected to the
Internet. Has all of the unassigned TCP and UDP ports opened and pointed to it. Can
receive unsolicited network traffic from the internetNOTE: Although the DMZplus computer appears
to Internet users as though it is directly connected to the Internet, it is still protected by
your system firewall. Alltraffic is inspected by the firewall's Stateful Packet Inspection
engine and all knownhacker attacks continue to be blocked.Since all filtered traffic is forwarded
to the designated computer, DMZplus modeshould be used with caution. In most situations, you can
use the "Allow individualapplication(s)" option to support access from the Internet to
applications on yournetwork. DMZplus can only be configured for one computer on your home
network ata time.The Firewall Settings page allows you to enable DMZplus and select which
computerwill run in DMZplus mode.

Thanks for those details. The DMZ is behind an SPI filter (probably not a full
firewall no matter what 2Wire calls it) (is it ICSA certified?), but is still
directly accessible to the other computers in the LAN. Or is it? Is the DMZ
host physically on a separate subnet (64.252.xxx.xxx) or the main LAN
(172.16.xxx.xxx)? What does "ipconfig /all" on the DMZ host show?
<https://www.icsalabs.com/icsa/main.php?pid=gddfg>

You're dead on about ISP Tech Support. That's one of the functions of these
forums - to fill in the gap between typical first line tech support, and
reality. Maybe you and I can save your friend from trouble, if we work to
understand this.

Sorry for the stuff at the top of my last post. I had initially thought to cut/paste it, but when I
saw the formatting I put in the link instead -- but apparently I had already pasted it.

Been there, done that. This is Usenet, so you have to average everything out.
Right now, this thread is running near the top of my interest list.

As to your question:


I don't know. I only looked at his network briefly, over the laptop. ipconfig /all on the laptop
gave its address as 172.16.1.34. It also revealed the IP of the HomePortal, i.e., the Gateway and
DHCP server, as 172.16.0.1. I was able to browse to the HomePortal and view a non-password-protected
status page that showed IP addresses for the devices connected to the HomePortal, including one
computer indicated as being in the DMZplus zone with an IP of 64.252.xxx.xxx as well as a DI-624
hooked up as a wireless AP (presumably with its DHCP server turned off, although without its admin p/w
I couldn't confirm).

The problem I started out looking to help with was that the wireless connection drops frequently, so I
was checking to ensure that SSID broadcast was not disabled (it was not) and that 802.1x
authentication was turned off (it was). While I was poking around, I noticed his peculiar network
configuration. Debugging network problems doesn't mix well with dinner-time visits. Perhaps I'll be
able to investigate further over the weekend.

OK, well knowing what we don't know is sometimes as useful as knowing what we
do. I've been curious about SOHO DMZs for some time, knowing how Corporate LAN
DMZs work. Please take a careful look at your friends LAN when you have a
chance. I think all of us might learn from it.
<http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)>