The Demilitarized Zone (DMZ) Firewall provides an advanced security realm to a network zone that lies between the LAN and WAN. The DMZ is an isolated network laid between private networks and the internet. It plays a vital role in creating a buffer zone and buys more time for the incident response team in case of a breach.
Crystal Eye’s DMZ Firewall allows administrators to define Incoming DMZ Connections and also facilitates control over DMZ Pinhole (DMZ to LAN) Connections. By default, all Incoming DMZ traffic that originates from the internet is directed to the DMZ and is blocked. However, the administrator can add exceptions through Incoming DMZ Connections section of the App and allow a designated list of IPs to access DMZ network. Similarly, all pinhole connections from the DMZ to LAN are automatically blocked. Here the pinholes are tunnels of communication between DMZ and the internal networks or LAN. The DMZ Pinhole (DMZ to LAN) Connections section of the application provides administrators with the controls to allow DMZ originating IPs to access LAN.
|Left-hand Navigation Panel > Security Configuration > Firewall > Custom Firewall|
DMZ Incoming Connections relates to all incoming connections administered to access external facing services in a DMZ. All incoming connections to the systems in the DMZ are blocked by default. However, an administrator can permit access to systems in the DMZ by adding IP address, protocol, and port.
Permits can be granted to all DMZ incoming connections to access a single public facing IP address or the whole network of IPs. Access rights can also be provided for a particular port and protocol on a single public IP.
How to Assign Exception IPs for DMZ Incoming Connection?
Step 1: In the DMZ Firewall Appication page, click the Add button. Step 2: Enter the IP Address and mention the Nickname of the IP address in the textbox. Step 3: Check the All Protocols and Ports tick box if you want the incoming IPs to access all ports and protocols. Step 4: Select whether the incoming connection is TCP or UDP using the Protocol dropdown. Step 5: Mention the Port Number that you want the incoming IP to access in the Port textbox and click the Add button.
Note: The system allows you to add a port in the box only if you have unchecked All Protocols and Ports.
The default behaviour of communication between systems in DMZ and LAN is such that all the network traffic originating from the DMZ to LAN and from LAN to DMZ are blocked. Therefore, it becomes important to open a pinhole in cases where special permissions must be granted for a system to establish communication with another system located in the DMZ.
In order to ensure communication between particular systems or servers in DMZ and LAN the administrator would have to add the IP Address, Protocol and Port to create an exception.
How to Assign Exception IPs for DMZ Pinhole (DMZ to LAN) Connections?
Step 1: In the DMZ Firewall application page, click the Add button in DMZ Pinhole (DMZ to LAN) Connections section. Step 2: Now, you will see the DMZ Pinhole (DMZ to LAN) Connection section. Enter the exception IP in the IP Address box and enter the given Nickname in textbox. Step 3: Check the All Protocols and Ports box.
Note: This tick box must only be checked if you want the exception IP to access all protocols and Ports.
Step 4: Select the incoming connection as TCP or UDP using the Protocol dropdown. Step 5: Mention the Port Number that you want the incoming IP to access in the Port textbox and click the Add button.
Note: The system allows you to add a port in the box only if you have unchecked All Protocols and Ports tick box.