Today I'm attempting to demystify a thought process around DMZs (Demilitarized Zones).
A DMZ is extremely useful method for providing network security. It can be utilized in a variety of ways and vary greatly in complexity. The writing in this post assumes you have a basic understanding of what a DMZ is.
The mystery I would like to pull the curtain back on in this post is home routers and built in DMZ capabilities.
In a previous post "Why are guest networks important?" I highlight the benefit of having A guest network.
So, what is the difference between a guest network and a DMZ (home router)? The difference is actually huge.
When we think about DMZ the first image that may come to mind is that it is an isolated area that is protecting data, that only approved admins can access. While this can be true, it can also be totally different. That's the glory of a DMZ I can isolate assets and restrict access, or I can have a DMZ facing the internet and in that DMZ I have a webserver. However I want to built out my infrastructure there is a DMZ combination that can be implemented.
DMZs are nice because they provide that additional layer of security. They can be locked down and make the work of an attacker that much more difficult.
The problem with DMZ capabilities on home routers is that it is using a word that is associated with security, and then doing the opposite.
It is giving people false hope.
When I select DMZ on my home router (the process is very similar for most appliances). What I am doing is allowing a machine on my network direct access to the internet. Potentially, if not definitely, skipping your firewall entirely.
Some internet resources have said that you can put gaming systems in this kind of configuration. The justification is that it makes things "faster." This is silliness.
Put your xbox behind your firewall. Come on now.
A problem with giving a machine direct access to the internet is that the internet has direct access to it as well! It gets compromised and now your you entire network is visible.
What's a better Alternative?
You want a secure home network? At the very least set up a guest network and have all guests connect via this network. This way you have created some isolation.
You want remote access to an asset in your own network(non-guest)? Set up some virtual router(s) (pfsense is a great solution). Configure these so that you can access the asset. This is a much better way to do it as it leverages the DMZ methodology appropriately