How do I configure a DMZ on my local LAN?
A question about DMZ's: We run a privately addressed network(192.168...) on a workgroup. We have a server running DHCP. If I set up a DMZ on a managed switch I would like to know if a potentially infected (spyware/trojans) PC which is then plugged into it would be able to infect the server.
This is one of those questions where I basically have no idea what you're talking about, so I'm really glad to have a few Friends of Ask Dave Taylor who are more clueful about networking issues. I asked them and here are the two answers I received:
One assumption I make, your server is running an MS based OS, thus the concern over trojans/virus/spyware.
The purpose of a DMZ is to build a protected space between public servers and the rest of the LAN. When one of the public servers/services become compromise, it is then "shielded" from the rest of the LAN. There are a few DMZ designes ... you dont include your network structure.
I strongly suggest that you have a true network person look into your setup.
On the question of viruses... if any of the client PCs can "speak" to the target server, it is certainly then exposed to any kind of malware period.
Whether or not you have a DMZ is not material.
How your server deals/copes with it however is a different matter altogether. Good AV software, proper hostbase firewall setups on the server, properly configured services all add to the security of the server so its not as simple as yes/no.
One trick I've done is to set up DMZs on routers to nonexistent IP Addresses. The effect of this is to have all incoming "attacks" go nowhere and finally time-out.
My thanks to Teoh Kiat Jin for this answer
This simple answer is yes, it's possible that a pc on your network could infect your server. It's tough to know exactly what the risk is based on your question, so I'll try to give you and idea by making a few assumptions.
Typically, switches are not used to create DMZ's. This is a job left to routers and firewalls. (A firewall is a router on steroids.) So, I'll assume that you really meant some sort of router. I'll also assume that you've got Windows pc's in your network, and that the server in question is a Windows server.
Is your server's IP address in the same subnet as the rest of your network? If so you're probably using a broadband router and your risk is pretty high. Broadband routers typically are not capable of creating a true DMZ, rather, they pretend that one of your machines on your network is a DMZ and route all inbound traffic to that machine. (A real DMZ would have a different subnet.) Since your server's address is in the same subnet, it's quite visible to any malicious code that might be infecting any of the Windows workstations on your network.
Is your server's IP address in a different subnet that the rest of your network? If so, you've probably got a router or firewall and your risk is small, but not insignificant. In this case the server is not as easily accessed by infected workstations. The risk here is in any services that the server is running where traffic for that service is allowed through by the router/firewall. Let's say your server is running IIS and MS SQLServer. IIS listens on port 80, MS SQLServer on 4444. If you allow traffic from your internal network to the server on these ports, then any virus or worm that can exploit vulnerabilities to IIS or SQLServer on those ports may be able to infect the server. The best course of action here is to control and reduce to the minimum the traffic going to the server. Then, keep those services patched.
Thanks also to Phil at Maladon for his help with this question
More Useful Unix and Linux Help Articles:
✔ Copy and Paste from the Mac OS X Command Line?
I am constantly running commands in Terminal.app on my MacBook and then copying and pasting the results into email messages or documents. Yes,...✔ Shell script to convert lowercase to title case?
As part of a project I'm working on, I find myself deep in a Linux shell script, needing to have a subroutine that...✔ Can I script renaming files based on an XML data map?
I have a folder full of files which are named with four digits and a file extension e.g. 0312.file and an XML-file describing...✔ Test for valid numbers in a Bash shell script?
In a different discussion on this site [see Redirecting input in a shell script] a visitor commented that "I was too busy trying...✔ Review: iSSH for the iPad/iPhone
If you're running an online business like I am, there are times when you need to connect and log in to the server...
Let's stay in touch!
Sign up for my weekly AskDaveTaylor Newsletter and you'll receive even more tech and gadget help right to your inbox, along with exclusive news and industry updates. It's good stuff. I promise!
I do have a comment, now that you mention it!
Check This Out Too...
Look for Answers
All Our Categories
Apple iPad Help
Articles and Reviews
Auctions and Online Shopping
Blogs and Blogging
Building Web Site Traffic
Business and Management
Computer and Internet Basics
d) None of the Above
Google Gmail Help
Google Plus Help
Industry News and Trade Shows
iPhone and Cell Phone Help
iPod, Sony PSP and MP3 Player Help
Kindle Fire Help
Mac OS X Help
Pay Per Click (PPC) Advertising
Search Engine Optimization (SEO)
Shell Script Programming
Tech Support Video Help
The Writing Business
Twitter, LinkedIn and Social Network Help
Unix and Linux Help
Video Game Tips and Help
Windows PC Help
Find Me on Google+
ADT on G+