Using a DMZ will protect your servers from the local intranet and your intranet from your publicly
accessible servers. This is done by making each portion of your network sit on different IP
networks. Let’s take a look at two examples. The first is my own home network setup.
I have two publicly accessible systems that provide Web hosting services, FTP access, an IRC server,
and so forth. Both systems are extremely public in the services they run. My local LAN, which
consists of three Linux desktop machines, one Linux laptop, and a Windows 98 system, is separated
from my two servers, which are in a DMZ.
The two servers each have their own static IP addresses that are Internet IP addresses. My local
LAN uses a Class C IP network with an address range of 192.168.1.1 to 192.168.1.254. I have a
number of static IP addresses from my ISP, but I only use three of them: two for the public servers
and the other as the gateway for my LAN. My ADSL connection comes in and is connected to a
10/100 switch. My two servers, each with their own IP address, are connected to the switch, giving
them straight access to the Internet. Each server is protected by its own software firewall. The third
static IP address is assigned to a firewall/router appliance that is connected to the switch.
Connected to the router is another 10/100 switch to which my LAN computers are connected.
What this does is allow straight traffic through the ADSL modem to and from my two servers. The
router provides firewall and NAT services to the local LAN. This means that although my two
servers are within 20 feet of my desktop computers, my desktop machines consider them as
external Internet hosts—the same as they would any other remote Web site. The two servers know
absolutely nothing about my internal network, and any connections to my own Web sites are seen
as coming from just another IP address that has been allotted from my ISP.
Because of this, if one of my servers is compromised, the attacker will have no easy access to my
local network. There are no straight paths from the servers to the LAN, and the only accessibility to
my LAN is still through the hardware firewall/router. If the attackers were to attempt to use my
servers to obtain access to the LAN, they would have the exact same obstacles to overcome as if
they were trying to gain access directly from their own system. There are no back alleys to my
Xem thêm các bài viết về Du Lịch: https://noviway.com/category/du-lich/