Ko biết có phải cái này ko? bro tham khảo thử xem :) http://www.webopedia.com/TERM/D/DMZ.html http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)
demilitarized zone: tạm dịch vùng phi chiến sự, chính xác là vùng bắn nhau tự do. Trong Network DMZ trong router dùng để chỉ sercurity~~0, nghĩa là open all port, IP nào được điền trong phần này coi như hoàn toàn bị thấy bởi thế giới bên ngoài, khỏi mắc công open port nào cả, vì all port forwarded.
In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an organization's internal network and an external network, usually the Internet. The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network — hosts in the DMZ may not connect to the internal network. This allows the DMZ's hosts to provide services to both the internal and external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end. The DMZ is typically used for connecting servers that need to be accessible from the outside world, such as e-mail, web and DNS servers. Connections from the external network to the DMZ are usually controlled using port address translation (PAT). A DMZ is often created through a configuration option on the firewall, where each network is connected to a different port on the firewall - this is called a three-legged firewall set-up. A stronger approach is to use two firewalls, where the DMZ is in the middle and connected to both firewalls, and one firewall is connected to the internal network and the other to the external network. This helps prevent accidental misconfiguration, allowing access from the external network to the internal network. This type of setup is also referred to as screened-subnet firewall.
mô hình gì nữa trời, ví dụ bạn cần mở web server, bit torrent port, ftp server, remote control access, dns server, dhcp server, vnc, van van...thay vì ngồi mở từng port trên IP 192.168.1.2( giả sử đây là IP private trên máy của bạn), thì bạn chỉ vào phần DMZ, điền IP 192.168.1.2 vào, thế là tất cả các port được mở toang ra, nói cách khác máy bạn hoàn toàn bị thế giới bên ngoài thấy, giống như sử dụng modem không có chức năng router.
There are many different ways to design a network with a DMZ. Two of the most basic methods are with a single firewall, also known as the three legged model, and with dual firewalls. These architectures can be expanded to create very complex architectures depending on the network requirements. Single firewall A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network. The zones are usually marked with colors. Green for LAN, orange for DMZ, purple or blue for wireless zones and red for Internet. Note that the images below don't reflect the right colors. Dual firewalls A more secure approach is to use two firewalls to create a DMZ. The first firewall (also called the "front-end" firewall) must be configured to allow both traffic destined both to the DMZ as well as to the internal network. The second firewall (also called "back-end" firewall) allows only traffic from the DMZ to the internal network. The first firewall handles a much larger amount of traffic than the second firewall. Some recommend that the two firewalls be provided by two different vendors. If an attacker manages to break through the first firewall, it will take more time to break through the second one if it is made by a different vendor. (This architecture is, of course, more costly.) The practice of using different firewalls from different vendors is sometimes described as either "defense in depth" or (from an opposing viewpoint) "security through obscurity".
