Overview
A demilitarized zone (DMZ) is a particular segment of the local network reserved for servers accessible from the Internet. It is not allowed to access the local network from this segment. If a server in the DMZ is attacked, the attacker cannot reach other servers and computers located in the local system.
This article provides a general guideline, through an example, to configure a DMZ interface in Kerio Control.
Prerequisites
As an example, assume that there are rules for a web server located in the DMZ. The demilitarized zone is connected to the DMZ interface included in the Other Interfaces group. The DMZ uses subnet 192.168.2.x, the web server's IP address is 192.168.2.2.
Solution
- Login to Kerio Control Administration.
-
Go to Configuration -> Traffic Rules.
-
Use the following guidelines to add the proper rules:
-
Make the webserver accessible from the Internet, mapping the HTTP service on the server in the DMZ.
-
Allow access from the DMZ to the Internet via a NAT, which is necessary for the correct functionality of the mapped service.
-
Allow access from the LAN to the DMZ; this makes the web server accessible to local users.
-
Disable access from the DMZ to the LAN to add protection against network intrusions from the DMZ; this is globally solved by a default rule blocking any other traffic.
-
To make multiple servers accessible in the DMZ, you can use multiple public IP addresses on the firewall's Internet interface, which is called multihoming. Refer to the article Configuring Traffic Rules for Multihoming in Kerio Control for additional information.
Note: DMZ can be configured using VLAN interfaces as well.
Confirmation
Demilitarized Zone is configured successfully using Traffic rules.