DMZ Danger

One thing that I wish that consumer level router and firewall vendors would change is the naming of their DMZ feature as the term DMZ implies safety, but typically their implementation of the DMZ is anything but safe.

In a real DMZ configuration you have independent protection on both sides of the system(s) in the DMZ such that even if the DMZ system were to be compromised it would still be difficult to attack other systems on the internal LAN as shown below.

However consumer grade routers and firewalls are lacking both External and Internal firewalls in their DMZ setup, which means if the unprotected system in the DMZ were to become compromised then there is nothing to prevent it from attacking the other systems on the LAN as shown below.  This is what makes use of the so called DMZ feature so dangerous as it could easily lead to the infection of your entire LAN.

I do wish that consumer grade router and firewall vendors would create some different name for their DMZ feature which gave a better indication of the hazards involved in using it.

We recommend rather then using the DMZ functionality you identify an forward only the required ports to the required system as at least this minimizes your attack surface.  NOTE it is not a perfect solution however as if that system were to become infected it can still attack other systems on your LAN.

Page last updated on November 26, 2006