User manual
Network Setup
71
DMZ Network
Note
Not available on the SG300, SG530, SG550 or SG PCI appliances.
A DMZ (de-militarized zone) is a
physically separate LAN segment,
typically used to host servers that are
publically accessible from the Internet.
Servers on this segment are isolated to
provide better security for your LAN. If an
attacker compromises a server on the
LAN, then the attacker immediately has
direct access to your LAN. However, if an
attacker compromises a server in a DMZ,
they are only able to access other
machines on the DMZ.
In other words, by default the SG unit blocks network traffic originating from the DMZ
from entering the LAN. Additionally, any network traffic originating from the Internet is
blocked from entering the DMZ and must be specifically allowed before the servers
become publically accessible. Network traffic originating from the LAN is allowed into the
DMZ and network traffic originating from the DMZ is allowed out to the Internet, however.
The section Services on the DMZ Network discusses how to allow certain traffic from the
Internet into the DMZ. To allow public access to the servers in the DMZ from the
Internet, this step must be performed. You may also allow certain network traffic
originating from the DMZ into the LAN, however this is not usually necessary.
By default, machines on the DMZ network have addresses in a private IP address range,
such as 192.168.1.0 / 255.255.255.0 or 10.1.0.0 / 255.255.0.0. Real world addresses
may be used on the DMZ network by by unchecking Enable NAT from DMZ interfaces
to Internet interfaces under the Advanced tab. See the Network address translation
section later in this chapter for further information.
Configuring a DMZ connection
Select Direct Connection from the Configuration pull down box of the network port to
be connected to the DMZ. Enter appropriate IP address settings and select DMZ from
Firewall Class pull down menu.