Secure Your Home Network by Creating a DMZ

I recently purchased a useful gadget called CloudShell to house my ARM-based big.LITTLE octa core processor board called Odroid XU4 and a SATA 2.5 inch hard disk. My plan is to use it as a home server to expose services that can be accessed from the Internet. But before I open up the firewall to allow access to this server from the Internet, I want to make sure proper security is in place. The major requirement is that even if this server has been compromised, intruders cannot make use of this server to access my other home computers, tablets, mobile phones and file servers on the home network.

Most home networks are set up like that shown in the following diagram.

Typical Home Network Setup
Typical Home Network Setup

 

All home wireless routers these days have an inbuilt firewall to protect the Home Network from the Internet. In such a setup, once a computer on the Internal Lan has been compromised, the intruder can have access to the whole Internal Lan. The chances of the server being compromised increases immensely if the server can be accessed from the Internet.

A DMZ (demilitarised Zone) is a conceptual network design where publicly accessible servers are placed on a separate, isolated network segment. The intention of a DMZ is to ensure that publicly accessible servers cannot contact other internal network segments, in the event that a server is compromised. Although most home routers have something called a DMZ Host, strictly speaking, this is not a true DMZ (Demilitarised Zone). A home router DMZ host is a host on the internal network that has all ports exposed, except those ports otherwise forwarded. Which is often used as a simple method to forward all ports to another firewall /NAT device.

The DMZ design I’ve chosen for my Home Network is shown below.

My Home Network DMZ Setup
My Home Network DMZ Setup

 

Main features of my Home Network DMZ setup include:

  • This setup requires 2 wireless routers instead of 1 in a typical Home Network setup
  • Wireless Router/Firewall #1 is configured with Port Forwarding to the Servers/Services connected to the Public Lan (192.168.1.0/24). Only services accessed from the Internet need to have their ports forwarded by the firewall
  • The wireless radio on Wireless Router/Firewall #1 has been switched off to save energy as there is no need to connect to it using Wireless Router/Firewall #1 wireless
  • servers/services on the Public Lan can be access either via the Internet or from the Internal Lan
  • One Lan port on the Wireless Router/Firewall #1 is connected to the WAN port of the Wireless Router/Firewall #2
  • All computers on the Internal Lan  (192.168.2.0/24) can access the Public Lan owing to NAT (Network Address Translation)
  • Computers on the Public Lan cannot access the Internal Lan as it is protected by Wirless Router/Firewall #2. This means that even if a server on the Public Lan is compromised, it cannot be used to access the Internal Lan
  • Computers on both the Public and Internal Lans can access the Internet

 

3 thoughts on “Secure Your Home Network by Creating a DMZ”

  1. Because you have one “NAT” router behind another “NAT” router, do you not have all the problems of “double NAT” on the internal LAN for applications interacting with Internet services?

    Would not something like a Ubiquiti Edge provide a better solution so that there are two distinct local networks but only one router?

    1. You are making a good point. I should have covered this in the article. Using double NAT can be good and bad depending on your use case. If you are after extra security, understand and OK with all the implications, by all means, do it. You may find the following article interesting:
      https://www.grc.com/nat/nat.htm
      And in my double NAT configuration, all Internet-facing servers/services are on the public LAN which has no restrictions. The Internal LAN may have some restrictions eg, joining network games, etc. But you have a choice to use the Public LAN. And the Internal LAN is always secure.
      If that is not acceptable to your use case or objective, there are different ways of resolving it. The simplest way I can think of is configure the Internet-facing router to use the second router as the DMZ host. In this configuration, all services, except for the ones configured for port forwarding on the Internet-facing router, will be directed to the second router.
      Hope this answers your question.

      Mr. DreamBot

  2. Thanks for the detailed response with the the key point being —

    “all Internet-facing servers/services are on the public LAN which has no restrictions.”

Comments are closed.