What's the difference between DMZ Host and DMZ Subnet?
DMZ, which stands for "Demilitarized Zone", is an additional layer of security between the WAN and the LAN. A router with a DMZ subnet will allow access to the DMZ from the WAN while having the LAN still protected by the firewall. The most common application of DMZ is to allow servers such as mail servers, HTTP/HTTPS web servers and FTP servers, to provide service to hosts on the WAN side in addition to LAN hosts.
On Vigor routers, there are two DMZ applications: DMZ host and DMZ subnet. Setting up a DMZ host will open a single host completely to the WAN, and all packets will be forwarded to this single host, unless (1) the packets match port redirection or open ports rules, or (2) the packets are destined for ports that the router itself is actively listening on (for example, if WAN management is enabled on the router on telnet and http ports, inbound packets to ports 23 and 80 will be intercepted by the router). The DMZ host is easy to set up and convenient to use. However, because this single DMZ host is on the same subnet as other LAN devices, if an attacker from the Internet breaches the security of this host, he or she may be able to compromise the security of the entire LAN.
In the illustration above, the green arrow indicates normal usage of the DMZ host, where users on the Internet can access the DMZ host by means of the WAN IP address of router.
If a user breaches the security of the DMZ host, the attacker may gain unauthorized access to other hosts on the same subnet, indicated by the red arrows.
This type of threats can be avoided by using the DMZ subnet. The DMZ and other LAN subnet are isolated, so that if a host on the DMZ subnet is broken into, the attacker does not have the ability to access other LAN subnets.
To allow WAN hosts to access servers on the DMZ subnet, the network administrator must set up Port Redirection or Open Ports rules to the those servers. Also, to allow users on LAN subnets to access servers on the DMZ subnet, inter-LAN routing must be enabled, and firewall rules must be set up, as shown below.
The router will then allow hosts on the LAN subnets to access the DMZ subnet, but prevent hosts on DMZ subnet from initiating sessions to the LAN subnets. This protects both the router and the rest of the LAN from unauthorized access from the DMZ.
Even though the configuration of the DMZ subnet is a bit more complex than that of the DMZ host, the result of having a more secure networking environment makes it worthwhile.
The dedicated DMZ port on Vigor3220
On most Vigor routers with multiple LAN ports, the router will set aside one of the LAN port as the DMZ port when the DMZ subnet is enabled. The Vigor3220 series of routers, however, are equipped with one LAN port, plus a dedicated DMZ port that is always enabled.