A question about DMZ’s: We run a privately addressed network(192.168…) on a workgroup. We have a server running DHCP. If I set up a DMZ on a managed switch I would like to know if a potentially infected (spyware/trojans) PC which is then plugged into it would be able to infect the server.
This is one of those questions where I basically have no idea what you’re talking about, so I’m really glad to have a few Friends of Ask Dave Taylor who are more clueful about networking issues. I asked them and here are the two answers I received:
One assumption I make, your server is running an MS based OS, thus the concern over trojans/virus/spyware.
The purpose of a DMZ is to build a protected space between public servers and the rest of the LAN. When one of the public servers/services become compromise, it is then “shielded” from the rest of the LAN. There are a few DMZ designes … you dont include your network structure.
I strongly suggest that you have a true network person look into your setup.
On the question of viruses… if any of the client PCs can “speak” to the target server, it is certainly then exposed to any kind of malware period.
Whether or not you have a DMZ is not material.
How your server deals/copes with it however is a different matter altogether. Good AV software, proper hostbase firewall setups on the server, properly configured services all add to the security of the server so its not as simple as yes/no.
One trick I’ve done is to set up DMZs on routers to nonexistent IP Addresses. The effect of this is to have all incoming “attacks” go nowhere and finally time-out.
My thanks to Teoh Kiat Jin for this answer
This simple answer is yes, it’s possible that a pc on your network could infect your server. It’s tough to know exactly what the risk is based on your question, so I’ll try to give you and idea by making a few assumptions.
Typically, switches are not used to create DMZ’s. This is a job left to routers and firewalls. (A firewall is a router on steroids.) So, I’ll assume that you really meant some sort of router. I’ll also assume that you’ve got Windows pc’s in your network, and that the server in question is a Windows server.
Is your server’s IP address in the same subnet as the rest of your network? If so you’re probably using a broadband router and your risk is pretty high. Broadband routers typically are not capable of creating a true DMZ, rather, they pretend that one of your machines on your network is a DMZ and route all inbound traffic to that machine. (A real DMZ would have a different subnet.) Since your server’s address is in the same subnet, it’s quite visible to any malicious code that might be infecting any of the Windows workstations on your network.
Is your server’s IP address in a different subnet that the rest of your network? If so, you’ve probably got a router or firewall and your risk is small, but not insignificant. In this case the server is not as easily accessed by infected workstations. The risk here is in any services that the server is running where traffic for that service is allowed through by the router/firewall. Let’s say your server is running IIS and MS SQLServer. IIS listens on port 80, MS SQLServer on 4444. If you allow traffic from your internal network to the server on these ports, then any virus or worm that can exploit vulnerabilities to IIS or SQLServer on those ports may be able to infect the server. The best course of action here is to control and reduce to the minimum the traffic going to the server. Then, keep those services patched.
For all the readers out there without a true fireall (broadband routers are not, even though they claim to be), there’s a simple solution. Buy an old Pentium III computer and two network cards. Total cost will probably be $50 bucks. Then install a free firewall. There are two really good ones out there: IP Cop ipcop.org and Smoothwall smoothwall.org. I’ve recently switched to IP Cop from Smoothwall, but both are great firewalls and both are free, open source GNU/Linux based firewalls. Installation is fairly simple and both web sites have good instructions for non techy types.
Thanks also to Phil at Maladon for his help with this question