Sales:+91-817881 3626    NetXCare:+91-989141 2158   
sales@netxgate.com    support@netxgate.com   
        

How can we help you?

Firewall / NAT


Protecting a web server with DMZ



In computer security, a DMZ Network (sometimes referred to as a “demilitarized zone”) functions as a sub-network containing an organization's exposed, outward-facing services . The goal of a DMZ is to add an extra layer of security to an organization's local area network.

When implemented properly, a DMZ Network gives organizations extra protection in detecting and mitigating security breaches before they reach the internal network, where valuable assets are stored..

Purpose of a DMZ:

The DMZ Network exists to protect the hosts most vulnerable to attack. These hosts usually involve services that extend to users outside of the local area network, the most common examples being web servers. Because of the increased potential for attack, they are placed into the monitored sub-network to help protect the rest of the network if they become compromised.

In addition to protecting the web server, the DMZ also protects the rest of the network. In this example the DMZ network uses a private subnet and allows access to a web server using different addresses for internal and external users, while preventing access from the web server to the internal network if the web server is compromised.

Note-For this configuration to work , the web server must be properly configured with its default route pointing at the NetXGATE's DMZ interface..

Step 1. Configuring the DMZ interface:

    Create a network segment (e.g., 172.16.1.0/24 on DMZ Port ).

1: Login to NetXGATE NG Firewall.
2: Go to Configuration > Network Setting.
    Note- This example uses the LAN-3 Port as the DMZ interface.
3: Navigate to LAN3 and Click on it – 'Network Setting' window will Open.
    Under LAN Connection Type , Change it to Static (Fixed IP ) , Default Value- Disable.
4: Under Description : Enter a description related to the rule being configured for your reference.
5: In the Static Mode Box , specify the following settings:

  • IP Address – Enter the interface IP address for the DMZ (e.g.,172.16.1.1).
            This IP address represents the default gateway for clients within this network segment.
  • Netmask – Enter the netmask (e.g.,255.255.255.0).
  • Network Zone – Select the interface as DMZ . And Leave other seeting as defualt.

The following image shows an example of how to configure the settings:

9: 5. Click Save and restart Service.

Step 2. Configure the Port Forward access rule:
    Create an access rule that allows HTTP traffic from the Internet to the web server residing in the DMZ.

1: Go to Configuration > Firewall / NAT , Select Port Forward.
2: Click the + (Add) icon over ‘Port Forward Rules ’ window to add a New Port Forward .
3: Under 'Control Box' , Rule Name : Enter a description related to the rule being configured for your reference.
4: Under 'Protocol Box' , Set Action : Forward . And for Protocol : TCP or UDP or TCP/UDP ( Depend On Application . For this exmaple , we using TCP ) and If u need Log enables it.
5: Under 'Incoming Box' , Set Zone : WAN (This will typically be the interface that connects your NetXGATE unit to the Internet /Untrusted Zone ).
6: Set Feild Original Services / Port : 80 ( For this example, the HTTP service uses port 80 ).
7: Under Original Destination : 111.1.1.1 , Mention the WAN IP address ( For this example, the WAN-1 Interface IP is 111.1.1.1 )
For Original Destination or WAN IP Address. You can use:

  • The NetXGATE unit WAN / Public IP
  • If you have a cable or DSL connection with a dynamic IP, you can use ' Any '
  • If your ISP provides a block of IPs that route to your NetXGATE unit WAN interface, you can add one of these IPs here

8: Next , Under 'Forward Address Box' , set Zone : DMZ ( This will typically be the interface that connects your NetXGATE unit to the DMZ Network ).
9: Set Server IP : 172.16.1.10 ( For this example , IP address of the webserver PC under DMZ Zone) .
10: Similarly under Forward Service / Port : Any or 80 . Defualt- Any
The following image shows an example of how to configure the settings:

After making the above necessary configuration, Click Save and Restart Service.