Creating an isolated network to secure a server

May 22, 2018
2
0
10
I'd like to host a server for a simple website at home. (This is just as much for my own experience as it is hosting the webpage, so please don't suggest a hosting service)
I've read a few different threads already, but I have a somewhat unique situation that isn't covered in any that I've been able to find.
The IsP has provided a router/modem combo for the AP. I have two additional routers with DD-WRT installed. What I'd like to do is set up the server on it's own isolated network/connection that I can port forward on while leaving everything else covered.
However, the tricky bit is that I have a computer with no wifi that's currently parked by and plugs into the IsP modem/router directly, while one of the routers is in the middle of the house connected by a very long cable back to the modem.
Can I use my second router to protect this computer and allow the server to connect to the modem directly, or vice versa?

 
Solution


The DMZ does NOT in and of itself make your webserver secure! In fact, it's no better than port forwarding in this regard. Specifically, the DMZ allows you to define *one* local IP to which anything that would...
What you need to do is see if the ISP router has a DMZ capability. The DMZ is where you want your web server to live. It will then be isolated from the rest of your home network. You will want a good firewall ON the server and to review a hardening guide for whatever OS is on that server.
 


And that will secure the server from the rest of the network and vice versa? I'm doing this on my parent's network, and they want to be assured that by doing this I'm not going to get their computers damaged in anyway.
 


The DMZ does NOT in and of itself make your webserver secure! In fact, it's no better than port forwarding in this regard. Specifically, the DMZ allows you to define *one* local IP to which anything that would otherwise be port forwarded by the primary router or blocked to receive that traffic.

IOW, the DMZ is just a convenience. It avoids having to port forward on a service by service basis to internal IPs. You're telling the primary router, "if you intend to block the incoming traffic, please pass that traffic to IP x.x.x.x instead and let that device handle it".

At that point, your local network is just as vulnerable as if that traffic had been explicitly port forwarded. What's FAR MORE important is that the target device itself is isolated from the primary local IP network! And that's why you would typically specify a DMZ (or port forward) to an internal IP that is hosting a router, and who's WAN ip is set to that internal IP. And now you port forward on that router to your webserver (or whatever service you're offering) on its local IP network. That places the webserver and its internet clients behind that router and its firewall, thus isolating them from the primary router's network.

So if you're just hosting a webserver, it really doesn't matter whether you use the DMZ or just use plain old port forwarding. If perhaps you want *everything* that would otherwise be blocked by the primary router to be passed to your internal router, then yeah, the DMZ would be more convenient than port forwarding on a service by service basis. You configure the DMZ once and you're done.

In summary, the DMZ does NOT provide security. It only provides convenience. The security comes from forwarding internet clients (however you wish to forward them, either w/ port forwarding and/or the DMZ) to a device which itself is isolated from the primary local IP network, typically a router.

 
Solution