Securing servers without NAT (DMZ)

Securing Public Servers (DMZ):

Sometimes it is preferred to host servers on a public segment or De-Militarized Zone (DMZ) using packet filters to secure them. Most protocols (e.g. HTTP/POP3/TELNET/IMAP/SMTP) can be sufficiently secured using the packet filtering. FTP is an example of a protocol that cannot be sufficiently secured with packet filtering because it uses dynamic port addressing (passive mode). If you would like to host an FTP server behind WinRoute we recommend using NAT with port mapping for TCP port 21. WinRoute has a special module that allows FTP to function in both active and passive mode behind NAT.

In the following example we will assume that a predefined address group called DMZ LAN was defined with the IP subnet of the DMZ. The DMZ must be allowed to send and receive email using SMTP and will allow connections for HTTP and POP3. This will require four permit rules incoming to the Internet and DMZ interfaces to ensure that only the necessary services are allowed to and from the DMZ.

As based on the above screenshot, the first set of filters will allow email to be sent from the DMZ to other Internet mail servers. The next set of rules allows for the DMZ to receive emails from other Internet mail servers. The next two sets of rules allow for connections to HTTP and POP3 services hosted on the DMZ. The final rule of each Interface is the catch-all rule that denies any IP traffic that was not allowed by the above filters.

Usually in a DMZ scenario the WinRoute computer would have at least three interfaces: the Internet interface, the DMZ interface, and a LAN interface that services the private network. In the above scenario both inbound as well as outbound filters are specific to/from the address group 'DMZ' so it should not effect the private network. Note that you will need to configure advanced NAT rules to exclude the DMZ segment from NAT. For DMZ network configuration refer to the section 'Deployment Examples -> Connecting Multiple Networks -> Connecting Public and Private Segments (DMZ)'.