I recently purchased a useful gadget called CloudShell to house my ARM-based big.LITTLE octa core processor board called Odroid XU4 and a SATA 2.5 inch hard disk. My plan is to use it as a home server to expose services that can be accessed from the Internet. But before I open up the firewall to allow access to this server from the Internet, I want to make sure proper security is in place. The major requirement is that even if this server has been compromised, intruders cannot make use of this server to access my other home computers, tablets, mobile phones and file servers on the home network.
Most home networks are set up like that shown in the following diagram.
All home wireless routers these days have an inbuilt firewall to protect the Home Network from the Internet. In such a setup, once a computer on the Internal Lan has been compromised, the intruder can have access to the whole Internal Lan. The chances of the server being compromised increases immensely if the server can be accessed from the Internet.
A DMZ (demilitarised Zone) is a conceptual network design where publicly accessible servers are placed on a separate, isolated network segment. The intention of a DMZ is to ensure that publicly accessible servers cannot contact other internal network segments, in the event that a server is compromised. Although most home routers have something called a DMZ Host, strictly speaking, this is not a true DMZ (Demilitarised Zone). A home router DMZ host is a host on the internal network that has all ports exposed, except those ports otherwise forwarded. Which is often used as a simple method to forward all ports to another firewall /NAT device.
The DMZ design I’ve chosen for my Home Network is shown below.
Main features of my Home Network DMZ setup include:
- This setup requires 2 wireless routers instead of 1 in a typical Home Network setup
- Wireless Router/Firewall #1 is configured with Port Forwarding to the Servers/Services connected to the Public Lan (192.168.1.0/24). Only services accessed from the Internet need to have their ports forwarded by the firewall
- The wireless radio on Wireless Router/Firewall #1 has been switched off to save energy as there is no need to connect to it using Wireless Router/Firewall #1 wireless
- servers/services on the Public Lan can be access either via the Internet or from the Internal Lan
- One Lan port on the Wireless Router/Firewall #1 is connected to the WAN port of the Wireless Router/Firewall #2
- All computers on the Internal Lan (192.168.2.0/24) can access the Public Lan owing to NAT (Network Address Translation)
- Computers on the Public Lan cannot access the Internal Lan as it is protected by Wirless Router/Firewall #2. This means that even if a server on the Public Lan is compromised, it cannot be used to access the Internal Lan
- Computers on both the Public and Internal Lans can access the Internet