The DMZ setup is used when you have a private network, which must be shielded from the Internet, but at the same time you want to provide some services like Web access or e-mail facilities to the public through the Internet. In such a case, the Web, mail, and news servers must be allowed comparatively lenient access, but the machines in your private network must be protected by strict access-control rules. Thus the public servers reside in an area called the demilitarized zone. This area is surrounded by two firewalls (as shown in the diagram). The first firewall, F1, provides lenient access-control rules so that people across the Internet can access the public servers. But the second firewall, F2, defines strict access-control rules. If, by chance, anyone exploits a hole in the firewall F1 and gains privileged access to the machines hosting the public services, the person will still be retarded by the strong rules defined by firewall F2.

Can my Internet gateway act as a firewall?

A gateway is the interface between two networks—the private and the public network (the Internet), and that’s all it is. A gateway does not define any access policies for the data packets flowing across it. It cannot block a port scan, which may reveal all the services running on your network. Moreover, Trojans like Back Orifice publish their presence by broadcasting packets. So, there must be something to block these packets, which cannot be done using a gateway. Most Internet gateways use NAT (Network Address Translation) to give an external (public) IP to a machine on your private network. That’s how machines on an internal network access the Internet. However, the reverse is also possible if somebody sitting outside knows your public IP. A firewall is, therefore, needed to restrict this kind of access. 

How’s a hardware firewall different from a software one?

A software firewall requires a machine, maybe a PC, to run. This machine will need an OS and will typically have two network interfaces. Therefore, configuring it requires some effort as you have to install the OS, configure the two network interfaces for the firewall, etc. An important point here is that if the OS or any other service it is running has some bugs, then it may be an open invitation for a hacker. So it becomes important to patch the OS against any vulnerability and stop all the services that are not required. 

On the other hand, a hardware firewall doesn’t require a separate machine to run on. It’s a small box that can be just plugged into your network and is ready for customized configuration.

Anil Chopra and Shekhar Govindarajan