Internet Video Series, Part 2
Episode 14, Segment 05 of 08
The "DMZ" (Demilitarized Zone) features also invite security problems. In this context, "DMZ" allows you to designate one of your computers as the host for all services that are not otherwise defined. This allows you to host almost any kind of server on that machine (even if you don't know the ports on which it communicates), but it also sets that machine up as a target for every hacker and every stinkware application infesting the Internet. Think - "COME AND GET ME"! (And once that machine is compromised, the stinkware may be able to flow to your other computers from - inside - your LAN, as if the hackers could drop paratroopers behind your lines of defense, bypassing the protection ordinarily offered by your NAT router). Our advice regarding "DMZ" is the same as our advice regarding "Universal Plug and Play": Don't go there unless you are very vigorous about monitoring the health of your computers and their network usage, or unless you install an additional NAT router in series to create an - "inner" - more isolated LAN for your other computers.
As illustrated here, a second NAT
router, in series with the first, creates a new IP - "subnet" - with a distinct
set of IP addresses, in between the ISP network and your private network.
Servers hosted here are fully accessible to the worldwide Internet, and clients
on the Inner LAN can access them too, but if a server on this new - "DMZ" -
subnet is ever attacked and corrupted, it cannot easily compromise the computers
on the inner network.