What is a DMZ host in computers

DMZ self-built

Anyone who operates their own mail server at home or in the company is faced with a dilemma: the computer must be accessible from the Internet so that it can perform its task, but it should also be connected directly to the local network so that access is quick walk. This creates a security problem, however, because if the server is on the LAN and an attacker from the Internet takes control, the villain has a bridgehead in the local network. This applies to every type of server, whether they exchange e-mail, serve websites or suck from file sharing networks.

One solution is a buffer zone, known as the Demilitarized Zone (DMZ). Customers can access this part of their own network from the Internet, but an additional firewall seals it off from the local network. It is configured in such a way that the LAN PCs can access the servers in the DMZ, but no active connections can be established from there into the LAN. The DMZ uses a different IP address range than the LAN and is also physically separated from it on the router; Under no circumstances is a DMZ server connected to the same switch as the PCs in the local network. Good routers therefore offer a separate DMZ connection or allow separation via VLANs (details on VLANs in the article Fictitious networks on heise nets). Annoyingly, the routers in the less than 100 euro class also adorn themselves almost completely with the "DMZ support" feature, although none of them have the extra connection that is absolutely necessary for this. What marketing strategists are promoting with the wrong technical term is actually an "exposed host": the router forwards all connection requests coming from the Internet to it. The exposed host is attached to the same switch and in the same address range as the local network. For this reason, the firewall cannot filter the traffic between the exposed host and LAN on any of these devices. Unlike a real DMZ, an exposed host does not provide more security, but opens the door to the living room for every intruder.

Inexpensive self-built

Routers with a real DMZ port definitely cost a multiple of the cheap boxes from the electronics market. But a real DMZ can be built with two of the inexpensive devices. One is attached to the internet as an external router. Whoever wants to talk swollen, calls it the "Border Gateway". The DMZ server (s) and the second router, which thus separates the local network from the DMZ, hang on its inside. The two routers can be identical so that you only have to familiarize yourself with the configuration once. Otherwise there are no advantages to this. So there are no problems to be expected when combining an existing device with another one that has been bought cheaply.

The two routers can be of the same type so that you do not have to familiarize yourself with two different configuration interfaces. However, this increases the risk of making mistakes with the different settings. The requirements for the devices differ little: The WAN interface of the inner, secondary router should transmit at least 100 Mbit / s so that it does not slow down access from the LAN to the DMZ server. The WAN interface of the external router, on the other hand, only has to match the Internet line. A router with an integrated DSL modem can be installed here, or one with a slow Ethernet port if the Internet bandwidth is not that high. However, this router should have a sophisticated packet filter to seal off the DMZ server and make its own configuration pages only available to selected computers.

As usual, the external router serves the DSL line via PPPoE with the access data from the provider, whereby the admin deactivates the idle timeout and activates the "Keep Alive" so that the connection always exists. If this feature is available, the router announces its external address via DynDNS, otherwise a corresponding program runs on the DMZ server. Port forwarding ("virtual server") to the server is set up in the router, which only forwards packets for the port on which the server is working. For further protection, a filter should be set up if possible, which forwards packets from the server to the Internet only with this source port. The DHCP server is deactivated on the LAN side of the external router, because in this network - the DMZ - there are only the server and the secondary router, which need fixed IP addresses anyway. The router's configuration access must be locked with a secure password. In addition, the configuration pages must only be accessed from the IP address of the secondary router so that a hacker who takes over the DMZ server cannot change the settings. If the router's firmware does not allow such a restriction, the administrator must restrict access using filter rules.


The secondary router receives an address on its external interface from the local network of the external router (see figure). This option is usually under "Fixed IP", "DHCP client" or a similar name in the configuration interface. Enter the internal address of the external router as "Gateway", "Standard gateway" or "Default route". On the LAN side, the administrator activates the DHCP server and lets it distribute IP addresses from a different range than that of the DMZ. The DNS address is a bit hairier: If the external router - as is usual with modern devices - contains a DNS proxy, its address is entered in the DHCP server configuration of the secondary router. If you use an antique without a DNS proxy as an external router, you have to teach the DNS server addresses of the provider to the DHCP server. You do not need to turn the routing settings on any of the routers, and the routing protocols that may be offered, such as RIP, remain deactivated. Because both the external and the secondary router translate all addresses of the connected devices to those of their external interface (Network Address Translation, NAT). This means that a connection to the LAN cannot be established from the DMZ - an important part of the security concept. This double NAT does not cause any problems even with protocols that are difficult to translate, such as FTP and ping, as long as each router can handle it individually. Applications that want to reconfigure the external router via Universal Plug & Play (UPnP) from the LAN fail, however, because they only see the secondary router. (each)