3 unmasked internet access for server in the dmz – Lancom Systems LCOS 3.50 User Manual

Page 79

Advertising
background image

̈

Chapter 7: Routing and WAN connections

LANCOM Reference Manual LCOS 3.50

79

Routing and

W

A

N

con

n

ections

Configuration of the inverse masquerading

Stateful Inspection and inverse masquerading

If in the Masquerading module a port is exposed (i.e. all packets received on
this port should be forwarded to a server in the local area network), then this
requires with a Deny All Firewall strategy an additional entry in the Stateful
Inspection Firewall, which enables the access of all stations to the respective
server.

7.3.3

Unmasked Internet access for server in the DMZ

While the inverse masquerading described in the proceeding paragraph
allows to expose at least one service of each type (e.g. one Web, Mail and FTP
server), this method is bound to some restrictions.

̈

The masquerading module must support and ’understand’ the particular
server service of the ’exposed host’. For instance, several VoIP servers use
proprietary, non-standard ports for extended signalling. Thus such server
could be used on unmasked connections solely.

̈

From a security point of view, it must be considered that the ’exposed
host’ resides within the LAN. When the host is under control of an
attacker, it could be misused as a starting point for further attacks against
machines in the local network.

In order to prevent attacks from a cracked server to the local network,
some LANCOM provide a dedicated DMZ interface (LANCOM 7011
VPN) or are able to separate their LAN ports on Ethernet level by hard-
ware (LANCOM 821 ADSL/ISDN and LANCOM 1621 ADSL/ISDN with
the Switch set to ’Private Mode’).

Two local networks - operating servers in a DMZ

This feature requires an Internet access with multiple static IP addresses.
Please contact you ISP for an appropriate offer.

Configuration tool

Run

LANconfig

IP router

̈

Masq.

̈

Service list

WEBconfig

Expert Configuration

̈

Setup

̈

IP-router-module

̈

Masquerading

̈

Service-table

Terminal/Telnet

/setup/IP-router-module/masquerading/
service-table

Advertising
Popular Brands
Popular manuals