2 LAN ports configuration ( Problem Solved )

[cold_fusion]

---

I have email, ftp, webserver and other servers running behind a nat router with no DMZ.

You can but your LAN is not secured. if your server is hacked, your lan will be easily be open (no other firewall to protect).
The purpose of DMZ, is to secure public servers/services behind your LAN and your main firewall/router to the internet.
This will give at least 2 levels of protection.

[IT]

Thanks Guys.. please continue debate..

[vern]

... and the purpose of being behind a router is so that your system doesn't get hacked. It's counter-intuitive not to have it behind a router and putting it on a DMZ. Having services on a DMZ completely negates the security measures that routers give you.

[cold_fusion]

... and the purpose of being behind a router is so that your system doesn't get hacked. It's counter-intuitive not to have it behind a router and putting it on a DMZ. Having services on a DMZ completely negates the security measures that routers give you.

DMZ is always behind a router. You have a misconception about DMZ. DMZ is the zone where you put your servers, between internet and LAN. See http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

[vern]

So a DMZ is basically a LAN with services running on it. How is that any different from any other LAN with a router/firewall in front of it with port forwards (if you don't own extra IPs)? Sure you can physically and logically divide two networks so one LAN provides services and the other doesn't, but that isn't any more secure than not diving it at all since the way you've stuck what is important in the DMZ, the servers providing services, the servers that hold account information. Also, if attackers have gotten to your servers that are on the DMZ, it would be trivial to mount attacks to another part of the same network from a supposed trusted host, the host on your DMZ. The point of entry is ultimately a single point of entry leading to the private network and the DMZ. Refer to the Wikipedia page. This single point of entry can be referred to as a firewall or as a router ... it does the same thing as any other router.

As far as personal routers are concerned, putting hosts on DMZ leaves them out in the open to fend for itself and wouldn't be as secure as compared to hosts that were not in the DMZ.

[r0mm3L]

dmzs for security from the inside,

attackers can also be from the inside of the network

[softtouch]

Read this: http://www.linklogger.com/dmz_danger.htm

[cold_fusion]

Read this: http://www.linklogger.com/dmz_danger.htm

This is only applicable to pseudo/single firewall DMZ that consumer (cheap) routers provide. A having a REAL dmz, with 2 separate firewalls for external (internet) and internal (LAN) will prevent this bypass.

[cold_fusion]

>So a DMZ is basically a LAN with services running on it.
Yes it is, only the public services. Plus another firewall to your internal network.

>How is that any different from any other LAN with a router/firewall in front of it with port forwards (if you don't own extra IPs)?
Very different, on a real dmz, there are 2 firewalls/routers to bypass before an attacker can compromise your lan. If a server is compromized on the DMZ network, the hacker needs to bypass the 2nd internal firewall. If using only a single router/firewall, a compromised server on the LAN can run a sniffer and capture passwords on the LAN or directly access open services on the lan such as non-passworded smb shares or exploits non service-packed Win PCs.

>As far as personal routers are concerned, putting hosts on DMZ leaves them out in the open to fend for itself and wouldn't be as secure as compared to hosts that were not in the DMZ.
Not so open, they are protected by the first firewall.

[IT]

cisco routers & firewall I presume...

more answers please..