DMZ and network security

dipstick · Aug 8, 2009, 08:04 PM

Hey guys, I was wondering if anyone had any ideas on my issue or at least lie to me and make me still feel safer.

I've set up a WinXP Pro pc at home for connecting to work via a secured VPN. I have tried everything I can think of to get it to connect but it cannot if its running through the router. It does however work if I put it out on the DMZ.
My Q is how much of a security risk this is to my home network? Should I bother to keep trying to get it to work without DMZ? Any tips on that? Going by the error it looks like the router is killing the incoming connection from the server. I'm running a D-Link DGL-4300 router
Thanks for any tips guys

procupine14 · Aug 11, 2009, 10:48 PM

well there is always a bit of a security risk running outside the network but I assume you will be ok. It all really depends on what you are subjected to over the net.

As far as the VPN goes are there some ports that you can try to forward that your VPN needs to get through? You could also try taking down the security on the router and see if it lets you through. Then you would really know that your problem lies within the router.

WxMan1 · Aug 22, 2009, 08:47 PM

I took a look at the DGL-4300 game rules and it seems like that's a pretty neat game; it sure beats the cheesy Netgear MR814v2 game I have.

With regards to the security issue, you're fairly safe with a VPN connection. That's because the VPN circuits are logically isolated from public traffic. I'm unclear what web access you have once connected to the corporate VPN server, i.e., if you go through the corporate server to access the web you're in fairly good shape. But if you open up another connection on the client to access the web, that's a different story. At the very least if you should have software firewall running on the client (in addition to anti-virus / malware software). That really should go without saying in any case. However, for peace of mind its always best to be sitting behind the hardware firewall capabilities of the router.

Anyways, it looks like in the WAN section you have to configure the Internet Connection mode correctly, i.e., either PPTP, or L2TP (most common types of tunneling protocols for contemporary VPN's). That's where you configure IP address, subnet mask, default gateway, username & password.

Then it would seem that you need to go into the advanced, special applications, Application Level Gateway configuration:

The culprit might be IPSec VPN

The rules state that this "[a]llows multiple VPN clients to connect to their corporate network using IPSec. Some VPN clients support traversal of IPSec through NAT. This ALG may interfere with the operation of such VPN clients. If you are having trouble connecting with your corporate network, try turning this ALG off. Please check with the system adminstrator of your corporate network whether your VPN client supports NAT traversal."

At the very least, check to see that the IPSec service is running on the client node trying to make a VPN connection.

Networking can be a source for premature aging, baldness, flat spots on the skull and rounded indentations in walls.

Just last week I was trying to configure WEP on my Dad's PC on WinXP Pro that I just installed on his previously Win98 (SE upgrade) machine. The wireless adapter configuration utility has a bug: after configuring the WEP key, pressing apply the adapter detected the access point. Then when I pressed the O.K. button the machine promptely lost the connect (even so it seen the SSID). The thing was, first the router seen the node, then it didn't. The wireless adapter still saw the router and retained the router based DHCP IP address. Reboot ALWAY resulted in an APIPA assigned IP address w/no connectivity to the router (despite the client seeing the SSID. WTF?

The solution to this maddening problem was to press <CANCEL> (instead of <OK>) to exit the configuration utility AFTER applying the WEPS key. Works good, lasts long time. I aged at least 10 years in 4 to 6 hours I messed with that.

Matth · Aug 23, 2009, 12:16 AM

PC in Router DMZ is the same as a PC connected direct to a non-router modem, as far as security is concerned, so needs (at the very least) Windows firewall active, or some better firewall or antivirus/firewall suite.

All the crap being thrown at it from outside hits the DMZ.

On that router, using ALG for IPSEC can interfere with VPN clients that cannot handle NAT IPSEC
http://forums.whirlpool.net.au/forum...fm/860277.html
http://www.broadbandreports.com/foru...ce-DGL4300-VPN

Other than that, port forwarding should do it.

dipstick · Aug 27, 2009, 07:18 PM

I had tried opening the ports but it never helped. Once I disabled SPI it went like a bat out of hell. Tbh I feel kinda dumb missing that on my own

Also my network security is ok I think; I use wpa2 and all pc's run NIS 2009 along with SAS Pro and I have password protected sharing enabled.
Many thanks guys

@WxMan1. Its a nice router but it's starting to show its age on the wireless side. If I was in the market for a new one I'd be looking at the dir-655 or dgl-4500 only because this one has been so good to me
Thanks again

WxMan1 · Sep 1, 2009, 09:37 PM

Windows Vista and Windows 7, uses TCP window scaling for non-http (web) connections (as do Linux kernels from v2.6.8 on). This behavior is incompatible with some firewalls that use SPI (Stateful Packet Inspection) as found in routers like the Checkpoint NG R55, Cisco PIX earlier than v6.3.1, NetApp Cache Appliances, SonicWall, D-Link DI-724U, Netgear WGR614, and Linksys WRT54GS. If your're using IE 7 or 8, I wonder if that's part of the problem.

It bothers me that you have to turn off a major component of your firewall. SPI is a fundamental method for intrusion detection and prevention. SPI keeps track of the state of network connections (such as TCP streams, UDP communication) and is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.

Pure packet filters have no concept of state as defined by computer science using the term finite state machine and are subject to spoofing attacks and other exploits, and are not regarded as providing enough protection; pure packet filters treat all HTTP traffic equally. However, SPI can determine the type of protocol that is being sent over each port. A SPI capable firewall is able to hold significant attributes of each connection in memory, from start to finish. These attributes, which are collectively known as the state of the connection, may include such details as the IP addresses and ports involved in the connection and the sequence numbers of the packets traversing the connection.

SPI depends on the three-way handshake of the TCP protocol. A client initiating a new connection sends a packet with the SYN bit set in the packet header. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the server, the service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client responds with a packet having only the ACK bit is set, and the connection enters the ESTABLISHED state.

Once a connection has been established, the firewall passes all outgoing packets unhindered but only allows incoming packets if they are part of an ESTABLISHED connection, ensuring that hackers cannot start unsolicited connections with the protected machine. SPI is quite efficient because the firewall only needs to check its connection state table, instead of validating a packet against a firewall rule set (which can be extensive). If a firewall's rule set gets updated, the state table tends to get flushed (in turn incurring additional processing overhead). Once a session has ended, the associated entry in the state-table is discarded.
Here's an idea for ya:

FVS114 - ProSafe? VPN Firewall 8 with 4 Port 10/100 Mbps Switch - NETGEAR.com

Deep packet inspection is an extension of SPI where the data segment of any packet is inspected. This is important so as to to effectively block peer-to-peer-related network traffic. Application-level filters also examine what a protocol is being used for and can distinguish between HTTP traffic used to access a Web page and HTTP traffic used for file sharing.

Application-layer firewalls support multiple application proxies on a single firewall. The proxies sit between the client and server, passing data between the two endpoints. Suspicious data is dropped and the client and server never communicate directly with each other. Because application-level proxies are application-aware, the proxies can more easily handle complex protocols like H.323, which is used for videoconferencing and VoIP (voice over IP). Application proxies can be transparent to the client and server, as no configuration is required on the client or the server; or can be nontransparent, letting the client and server address the proxy server directly. Transparency versus non transparency is a matter of implementation and address hiding, rather than about security.

WPA2 is excellent security for the wireless nodes and access point on your LAN, however, it provides absolutely no protection from the cloud. With WPA2 war-drivers with packet sniffers and protocol analyzers have their work cut out for them if they want to get into the LAN via the wireless access point on your router (or establish a wireless peer-to-peer connection). And even if they are able to gain access to the LAN (or implement peer-to-peer connection to one of the LAN nodes) then they have to deal with NIS and SAS Pro. These are excellent examples of software firewalls. In my view their forte is preventing unauthorized traffic OUT of a LAN in that they provide application-layer filtering. You essentially don't have your pants down in public. But still, I'd be nervous that the LAN itself can be compromised with SPI disabled. If a hacker can bypass the router (quite easy if its security protocols are disabled), they can spend all the time in the world focusing on breaching the defenses of a single node on the LAN. Once a trusted node of a LAN is compromised from outside, the rest of the LAN is on extremely shakey ground.

On my WinXP Pro system, I use NSW 2003, and ZA v8.0.298. The latter provides suitable packet and application-layer filtering. As an additional layer of protection, I've implemented the host file available from

Blocking Unwanted Parasites with a Hosts File

to block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most hijackers. This is accomplished by blocking the connection(s) that supplies these little gems, by mapping the URL to the IP address 127.0.0.1 (localhost). And even if I am compromised by some malware that wants to phone home, my system can't get there.

Furthermore, I've installed Spybot Search & Destroy. I use this exclusively for its "immunize" feature; it puts its own entries into the HOSTS file. It also allows locking of the HOSTS file, and preventing changes to one's home page, and access to IE settings within the browser; the user is required to access that mannually through Start, setting, internet options. SpyBot's system scan functionality is an adjunct to that provided by Ad-Aware & Windows Defender (none of them find all of the threats). Both of these products have unobtrusive real-time protection, and so I've disabled the TeaTimer service of Spybot; TeaTimer is a rather zealous and obtrusive application in its operation. Anyways, as an adjunct to Windows Defender real-time protection, I use Ad-Aware Anniversary Edition Ad-Watch. Both work well in concurrently in tandem. Windows Defender is fairly adept at recognizing changes to systems settings but not overly zealous in that regard. Ad-Aware AE will definitely alert if my system becomes compromised by some rogue software.

Anyways, kind of a long-winded reply, but its my take on defense in depth and defense in layers philosophy to computer system security.

Takaharu · Sep 2, 2009, 12:23 PM

We gave up on VPNs in our company and decided to use Logmein. It'd depend on your needs and circumstances though as our IT department have dedicated PCs. We also managed to keep PCI compliancy even though we're using Logmein Free instead of IT Reach (which is certified for PCI compliancy).

blibbax · Sep 2, 2009, 12:39 PM

I've used a DMZ for my main PC for years without any issue. Yes it's a security risk, but as far as my experience can tell it's a small one.

dipstick · Sep 5, 2009, 12:33 AM

I think the main reason it doesn't work is because I'm trying to use the cisco vpn software which by looking around web seems to have been driving people mad for a few years now. But I've told them I don't want to bring work home with me and they seem to have left me alone for now -DMZ is off and SPI is on again

I don't get paid enough to be waking up in the middle of the night or dealing with anything on a sunday

Aug 8, 2009, 08:04 PM	#1
dipstick HardwareHeaven Extreme Member Join Date: May 2002 Location: USA Posts: 3,609 Rep Power: 70 System Specs	DMZ and network security Hey guys, I was wondering if anyone had any ideas on my issue or at least lie to me and make me still feel safer. I've set up a WinXP Pro pc at home for connecting to work via a secured VPN. I have tried everything I can think of to get it to connect but it cannot if its running through the router. It does however work if I put it out on the DMZ. My Q is how much of a security risk this is to my home network? Should I bother to keep trying to get it to work without DMZ? Any tips on that? Going by the error it looks like the router is killing the incoming connection from the server. I'm running a D-Link DGL-4300 router Thanks for any tips guys

Aug 11, 2009, 10:48 PM	#2
procupine14 Why is it Beeping!?!?! Join Date: Apr 2007 Location: USA, Missouri Posts: 1,400 Rep Power: 56 System Specs	Re: DMZ and network security well there is always a bit of a security risk running outside the network but I assume you will be ok. It all really depends on what you are subjected to over the net. As far as the VPN goes are there some ports that you can try to forward that your VPN needs to get through? You could also try taking down the security on the router and see if it lets you through. Then you would really know that your problem lies within the router. __________________ HTPC/file server: Windows 7 Ultimate 64-bit - AMD Phenom x4 9850 - 4GB OCZ DDR2 800 (2x2GB) - 1TB WD Black - 4 x 1TB Hitachi DeskStar in RAID 5 - ATi TV Wonder Digital Cable Tuner - HIS Raedon 4850 512MB - ASRock N68C-S UCC mobo - OCZ ModExtreme Pro 500W PSU GF's Gaming PC: Windows 7 Ultimate 64-bit - AMD Phenom 9850 - 4GB OCZ DDR2 1066 - 500GB Western Digital GP - HIS Raedon 5770 1GB - ASUS M3A78-EM - Zalman 650W PSU Media Streamer: Win 7 Pro 64-bit - AMD Athlon x2 3200+ - 4GB SuperTalent DDR2 800 - 250GB SeaGate Barracuda - MSI K9N6PGM2-V2 - ASUS Raedon 5450 SILENT - FSP group 250W PSU

Aug 22, 2009, 08:47 PM	#3
WxMan1 HardwareHeaven Lover Join Date: Dec 2007 Posts: 214 Rep Power: 39	Re: DMZ and network security I took a look at the DGL-4300 game rules and it seems like that's a pretty neat game; it sure beats the cheesy Netgear MR814v2 game I have. With regards to the security issue, you're fairly safe with a VPN connection. That's because the VPN circuits are logically isolated from public traffic. I'm unclear what web access you have once connected to the corporate VPN server, i.e., if you go through the corporate server to access the web you're in fairly good shape. But if you open up another connection on the client to access the web, that's a different story. At the very least if you should have software firewall running on the client (in addition to anti-virus / malware software). That really should go without saying in any case. However, for peace of mind its always best to be sitting behind the hardware firewall capabilities of the router. Anyways, it looks like in the WAN section you have to configure the Internet Connection mode correctly, i.e., either PPTP, or L2TP (most common types of tunneling protocols for contemporary VPN's). That's where you configure IP address, subnet mask, default gateway, username & password. Then it would seem that you need to go into the advanced, special applications, Application Level Gateway configuration: The culprit might be IPSec VPN The rules state that this "[a]llows multiple VPN clients to connect to their corporate network using IPSec. Some VPN clients support traversal of IPSec through NAT. This ALG may interfere with the operation of such VPN clients. If you are having trouble connecting with your corporate network, try turning this ALG off. Please check with the system adminstrator of your corporate network whether your VPN client supports NAT traversal." At the very least, check to see that the IPSec service is running on the client node trying to make a VPN connection. Networking can be a source for premature aging, baldness, flat spots on the skull and rounded indentations in walls. Just last week I was trying to configure WEP on my Dad's PC on WinXP Pro that I just installed on his previously Win98 (SE upgrade) machine. The wireless adapter configuration utility has a bug: after configuring the WEP key, pressing apply the adapter detected the access point. Then when I pressed the O.K. button the machine promptely lost the connect (even so it seen the SSID). The thing was, first the router seen the node, then it didn't. The wireless adapter still saw the router and retained the router based DHCP IP address. Reboot ALWAY resulted in an APIPA assigned IP address w/no connectivity to the router (despite the client seeing the SSID. WTF? The solution to this maddening problem was to press <CANCEL> (instead of <OK>) to exit the configuration utility AFTER applying the WEPS key. Works good, lasts long time. I aged at least 10 years in 4 to 6 hours I messed with that. Last edited by WxMan1; Aug 22, 2009 at 10:06 PM.

Aug 23, 2009, 12:16 AM	#4
Matth Flash Banner Hater Join Date: Jun 2002 Location: UK Posts: 3,411 Rep Power: 91 System Specs	Re: DMZ and network security PC in Router DMZ is the same as a PC connected direct to a non-router modem, as far as security is concerned, so needs (at the very least) Windows firewall active, or some better firewall or antivirus/firewall suite. All the crap being thrown at it from outside hits the DMZ. On that router, using ALG for IPSEC can interfere with VPN clients that cannot handle NAT IPSEC http://forums.whirlpool.net.au/forum...fm/860277.html http://www.broadbandreports.com/foru...ce-DGL4300-VPN Other than that, port forwarding should do it. __________________ Mary had a little lamb, Her father shot it dead Now Mary takes her lamb to school, Between two crusts of bread Last edited by Matth; Aug 23, 2009 at 12:24 AM.

Aug 27, 2009, 07:18 PM	Thread Starter #5
dipstick HardwareHeaven Extreme Member Join Date: May 2002 Location: USA Posts: 3,609 Rep Power: 70 System Specs	Re: DMZ and network security I had tried opening the ports but it never helped. Once I disabled SPI it went like a bat out of hell. Tbh I feel kinda dumb missing that on my own Also my network security is ok I think; I use wpa2 and all pc's run NIS 2009 along with SAS Pro and I have password protected sharing enabled. Many thanks guys @WxMan1. Its a nice router but it's starting to show its age on the wireless side. If I was in the market for a new one I'd be looking at the dir-655 or dgl-4500 only because this one has been so good to me Thanks again

Sep 1, 2009, 09:37 PM	#6
WxMan1 HardwareHeaven Lover Join Date: Dec 2007 Posts: 214 Rep Power: 39	Re: DMZ and network security Windows Vista and Windows 7, uses TCP window scaling for non-http (web) connections (as do Linux kernels from v2.6.8 on). This behavior is incompatible with some firewalls that use SPI (Stateful Packet Inspection) as found in routers like the Checkpoint NG R55, Cisco PIX earlier than v6.3.1, NetApp Cache Appliances, SonicWall, D-Link DI-724U, Netgear WGR614, and Linksys WRT54GS. If your're using IE 7 or 8, I wonder if that's part of the problem. It bothers me that you have to turn off a major component of your firewall. SPI is a fundamental method for intrusion detection and prevention. SPI keeps track of the state of network connections (such as TCP streams, UDP communication) and is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected. Pure packet filters have no concept of state as defined by computer science using the term finite state machine and are subject to spoofing attacks and other exploits, and are not regarded as providing enough protection; pure packet filters treat all HTTP traffic equally. However, SPI can determine the type of protocol that is being sent over each port. A SPI capable firewall is able to hold significant attributes of each connection in memory, from start to finish. These attributes, which are collectively known as the state of the connection, may include such details as the IP addresses and ports involved in the connection and the sequence numbers of the packets traversing the connection. SPI depends on the three-way handshake of the TCP protocol. A client initiating a new connection sends a packet with the SYN bit set in the packet header. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the server, the service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client responds with a packet having only the ACK bit is set, and the connection enters the ESTABLISHED state. Once a connection has been established, the firewall passes all outgoing packets unhindered but only allows incoming packets if they are part of an ESTABLISHED connection, ensuring that hackers cannot start unsolicited connections with the protected machine. SPI is quite efficient because the firewall only needs to check its connection state table, instead of validating a packet against a firewall rule set (which can be extensive). If a firewall's rule set gets updated, the state table tends to get flushed (in turn incurring additional processing overhead). Once a session has ended, the associated entry in the state-table is discarded. Here's an idea for ya: FVS114 - ProSafe? VPN Firewall 8 with 4 Port 10/100 Mbps Switch - NETGEAR.com Deep packet inspection is an extension of SPI where the data segment of any packet is inspected. This is important so as to to effectively block peer-to-peer-related network traffic. Application-level filters also examine what a protocol is being used for and can distinguish between HTTP traffic used to access a Web page and HTTP traffic used for file sharing. Application-layer firewalls support multiple application proxies on a single firewall. The proxies sit between the client and server, passing data between the two endpoints. Suspicious data is dropped and the client and server never communicate directly with each other. Because application-level proxies are application-aware, the proxies can more easily handle complex protocols like H.323, which is used for videoconferencing and VoIP (voice over IP). Application proxies can be transparent to the client and server, as no configuration is required on the client or the server; or can be nontransparent, letting the client and server address the proxy server directly. Transparency versus non transparency is a matter of implementation and address hiding, rather than about security. WPA2 is excellent security for the wireless nodes and access point on your LAN, however, it provides absolutely no protection from the cloud. With WPA2 war-drivers with packet sniffers and protocol analyzers have their work cut out for them if they want to get into the LAN via the wireless access point on your router (or establish a wireless peer-to-peer connection). And even if they are able to gain access to the LAN (or implement peer-to-peer connection to one of the LAN nodes) then they have to deal with NIS and SAS Pro. These are excellent examples of software firewalls. In my view their forte is preventing unauthorized traffic OUT of a LAN in that they provide application-layer filtering. You essentially don't have your pants down in public. But still, I'd be nervous that the LAN itself can be compromised with SPI disabled. If a hacker can bypass the router (quite easy if its security protocols are disabled), they can spend all the time in the world focusing on breaching the defenses of a single node on the LAN. Once a trusted node of a LAN is compromised from outside, the rest of the LAN is on extremely shakey ground. On my WinXP Pro system, I use NSW 2003, and ZA v8.0.298. The latter provides suitable packet and application-layer filtering. As an additional layer of protection, I've implemented the host file available from Blocking Unwanted Parasites with a Hosts File to block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most hijackers. This is accomplished by blocking the connection(s) that supplies these little gems, by mapping the URL to the IP address 127.0.0.1 (localhost). And even if I am compromised by some malware that wants to phone home, my system can't get there. Furthermore, I've installed Spybot Search & Destroy. I use this exclusively for its "immunize" feature; it puts its own entries into the HOSTS file. It also allows locking of the HOSTS file, and preventing changes to one's home page, and access to IE settings within the browser; the user is required to access that mannually through Start, setting, internet options. SpyBot's system scan functionality is an adjunct to that provided by Ad-Aware & Windows Defender (none of them find all of the threats). Both of these products have unobtrusive real-time protection, and so I've disabled the TeaTimer service of Spybot; TeaTimer is a rather zealous and obtrusive application in its operation. Anyways, as an adjunct to Windows Defender real-time protection, I use Ad-Aware Anniversary Edition Ad-Watch. Both work well in concurrently in tandem. Windows Defender is fairly adept at recognizing changes to systems settings but not overly zealous in that regard. Ad-Aware AE will definitely alert if my system becomes compromised by some rogue software. Anyways, kind of a long-winded reply, but its my take on defense in depth and defense in layers philosophy to computer system security.

Sep 2, 2009, 12:23 PM	#7
Takaharu I can fart in 7 languages Join Date: Aug 2009 Location: England, UK Posts: 1,632 Rep Power: 92 System Specs	Re: DMZ and network security We gave up on VPNs in our company and decided to use Logmein. It'd depend on your needs and circumstances though as our IT department have dedicated PCs. We also managed to keep PCI compliancy even though we're using Logmein Free instead of IT Reach (which is certified for PCI compliancy).

Sep 2, 2009, 12:39 PM	#8
blibbax What does this do? Join Date: Sep 2008 Location: Oxford, UK Posts: 3,697 Rep Power: 169 System Specs	Re: DMZ and network security I've used a DMZ for my main PC for years without any issue. Yes it's a security risk, but as far as my experience can tell it's a small one. __________________ Donate the spare computing power of your PC to help to cure Alzheimer's, ALS, Huntington's, Parkinson's disease and cancer: Fold for HH!

Sep 5, 2009, 12:33 AM	Thread Starter #9
dipstick HardwareHeaven Extreme Member Join Date: May 2002 Location: USA Posts: 3,609 Rep Power: 70 System Specs	Re: DMZ and network security I think the main reason it doesn't work is because I'm trying to use the cisco vpn software which by looking around web seems to have been driving people mad for a few years now. But I've told them I don't want to bring work home with me and they seem to have left me alone for now -DMZ is off and SPI is on again I don't get paid enough to be waking up in the middle of the night or dealing with anything on a sunday