DMZ, or demilitarized zone is a physical or logical subnetwork that contains and

exposes an organization's external services to a larger untrusted network, usually

the Internet. The term is normally referred to as a DMZ by information technology
professionals. It is sometimes referred to as a perimeter network. The purpose of
a DMZ is to add an additional layer of security to an organization's local area
network (LAN); an external attacker only has access to equipment in the DMZ,
rather than any other part of the network.

Hosts in the DMZ have limited connectivity to specific hosts in the internal network, though
communication with other hosts in the DMZ and to the external network is allowed. This allows
hosts in the DMZ to provide services to both the internal and external network, while an
intervening firewall controls the traffic between the DMZ servers and the internal network
clients.

A DMZ configuration typically provides security from external attacks, but it typically has no
bearing on internal attacks such as sniffing communication via a packet analyzer or spoofing
such as e-mail spoofing.

Services in the DMZ

Any service that is being provided to users on the external network can be placed in the DMZ.
The most common of these services are:

• web servers
• mail servers
• FTP servers
• VoIP servers
• DNS servers

IP Addressing Scheme
A DMZ can use either public or private IP addresses, depending on its architecture and firewall
configuration. If you use public addresses, you'll usually need to subnet the IP address block that
you have assigned to you by your ISP, so that you have two separate network IDs. One of the
network IDs will be used for the external interface of your firewall and the other will be used for
the DMZ network.

When you subnet your IP address block, you must configure your router to know how to get to
the DMZ subnet.

You can create a DMZ within the same network ID that you use for your internal network, by
using VirtualLAN (VLAN) tagging. This is a method of partitioning traffic that shares a common
switch, by creating virtual local area networks as described in IEEE standard 802.1q. This
specification creates a standard way of tagging Ethernet frames with information about VLAN
membership.
If you use private IP addresses for the DMZ, you'll need a Network Address Translation (NAT)
device to translate the private addresses to a public address at the Internet edge. Some firewalls
provide address translation

MDZ Models:

- Single firewall(3 legged model)

- Dual firewall

When you use a single firewall to create a DMZ, it's called a trihomed DMZ. That's because the
firewall computer or appliance has interfaces to three separate networks:

1. The internal interface to the trusted network(the internal LAN)

2. The external interface to the untrusted network(the public Internet)
3. The interface to the semi-trusted network (theDMZ)

What is Port Mapping?

Port Mapping is an advanced WinRoute feature that allows servers to be hosted securely behind
NAT. Internet servers listen on well known ports for uninitiated connections. In other words, the
server does not know in advance where a connection may come from. Examples of well known
ports include HTTP (TCP port 80), SMTP (TCP port 25), Telnet (TCP port 23). If these types of
well known services should be available to the Internet, then port mapping must be used to allow
NAT to make exceptions for these services by redirecting these inbound connections to the
appropriate local server.

Purpose
Port forwarding allows remote computers, for example, computers on the Internet, to connect to
a specific computer or service within a private local area network (LAN)

Typical applications include the following:

• Running a public HTTP server within a private LAN

• Permitting Secure Shell access to a host on the private LAN from the Internet
• Permitting FTP access to a host on a private LAN from the Internet

Advantages of Port Forwarding

Port forwarding basically allows an outside computer to connect to a computer in a private local
area network. Some commonly done port forwarding includes forwarding port 21 for FTP
access, and forwarding port 80 for web servers. To achieve such results, operating systems like
the Mac OS X and the BSD (Berkeley Software Distribution) will use the pre-installed in the
kernel, ipfirewall (ipfw), to conduct port forwarding. Linux on the other hand would add iptables
to do port forwarding.

Double Port Forwarding and Reverse Port Forwarding

There are many variations to port forwarding too. One of them is the double port forwarding. As
its name suggest, double port forwarding is networking computers using multiple routers. So,
one router's ports would be forwarded to another router or a gateway (with an external IP
address) which would then again forward to a host on a local area network.

There is also reverse port forwarding, also known as a reverse port tunneling. This is basically
composed of usually a session server and a session client. The session server connects with the
session port and the session client connects with the session server component, thus a session
server. For example, when a connection is established, the session server will tune into a port is
to be forwarded. When a connection is done, this connection would be directly forwarded to the
session client, with a destination accessible to that session client. This is usually done when an
access needs to be made to a port behind a outer or a firewall, but that router or that firewall is
not allowing such access. In this case, reverse port forwarding would be necessary.