How To Setup a Web Server Using a DMZ

What is a Digital Media Zone in network terms?

"It is a commonly-touted feature of home - small business routers. However, in most instances these features are not real Digital Media Zone or De Militarized Zones. Home/business routers often implement a Digital Media Zone simply through additional firewall rules, meaning that incoming requests reach the firewall directly. In a true Digital Media Zone, incoming requests must first pass through a Digital Media Zone computer before reaching the firewall."

When I checked on the cost of storage of private videos on the internet or "cloud computing" services my jaw hit the floor.

Let me go back about four years, a friend of mine was buying all my products to learn how to do computer repair, server installations, and so on.

He asked me why I didn't do video tutorials. I thought about it for a long time, then went in search of different topics on computer repair in video format.

For the most part you can find just about (note the just about) any topic and some of them are professionally done. If you need to know how to do a certain topic try newegg.com, they have some very good videos.

The computer hardware repair videos on You Tube in my opinion range from junk to professional. You get some that the person making the video has an ego as big as a 747 and all you see is their face. Then there are some that the quality is so low they are a waste of time. Then there are the occasional high quality on topic video that you can actually use to do your repair.

I made ten videos (will make a couple more soon) of the first five I put them on a CD and will sell those but the last five I wanted to put on this web site.

I did a search for online storage for large files and the cost is prohibitive for a small business. It ranges from $0.50 to $5 per MB per month!

Why the high cost?

The hosting company that I was useing at the time for this web site has a 100 MB limit for non-web site type files such as videos, zip, or PDF files all of which I use for my products that I sell so most of them are stored off site from that web site host.

This led me to creating my own private hosting for a web site, with a DMZ, I could connect to for videos and this is the process I used to protect my intranet network.

To start off I have two routers. I have always had a router between my internal network and the DSL modem from my ISP.

When the ISP modem died and they would not replace it I bought a Netgear DGN 2200 DSL Modem with a built in router.

Between the Netgear and my network I have a Linksys BEFSR41 Ethernet DSL Modem with built in router. On the intranet side I have a server that also has a firewall/proxy service. It's my data and I want to keep it mine!

I also have some old IBM laptops that are still serviceable.

Here is what I wanted to do:

Build a server that has a Web Server that I can lock down, by locking down the server I can allow for anonymous access to the web server with out worrying about some yo-yo hacking the server and getting past the firewalls to my internal network.

Using the Netgear allow for access to the web service and to the Linksys router.

The problem is getting all these different devices to talk to each other and not block any access in/out of the internal network. Ya, right... Good luck with that one!

Steps for web service:

1. Install the server Operating System (OS) on the laptop.
2. Add the Web Server to the OS
3. Create the Web Site
4. Create the necessary directories (folders) for the videos
5. Lock down the Web service
6. Lock down the server OS
7. Test

Next is figure out how to connect from the internet through the Netgear to the web server and the Linksys at the same time.

After reconfiguring the Netgear three times from factory default I got smart and contacted the Netgear Support people.

I know that you can put a server or computer/device on the outside of a router and it will not effect connections into and out of the router.

But the rules have changed since I did a little bit of work with a Cisco 4800 router...

The Netgear Support people were great!

They told me the best way to do this was create a DMZ server and a firewall rule that allowed for connection through the firewall to the Digital Media Zone or De Militarized Zone server.

Ok, well it took almost a complete day before someone outside the ISP connection to the Netgear router to connect to the DMZ server.

This is what it would look like:

Internet web page --> My ISP --> My Netgear Router -->  firewall rule to DMZ server --> DMZ server web service --> video plays on your computer.

It seems that the router had to be set to the default factory settings every time I made a mistake in a parameter. This means I had to use my laptop to go through the steps to setup the router each time.

Before I go through the steps I will caution you:

A DMZ server or computer/device is out side the protection of the router/firewall. It is wide open for anyone to connect to if they can find it or figure out how to connect to the server.

I strongly suggest you do these things first:

1. All Cable/DSL modem/routers have the option to "Block Anonymous Internet Requests" or "Respond to Ping on Internet Port" be sure that you set this to block or not respond! This keeps the hackers from finding your router by broadcast pinging.
2. Set the NAT (Network Address Translation) to "Enable" NAT translates the requested network address from the router to the local network on inbound connections, from the router to the internet on outbound connections. If you disable the NAT then the only connections you will have are from the router to any attached devices, no internet connection in or out.
3. This is your choice: DHCP Service - how many connection to the router you allow, I allow only 6 (used to be 4 until all the wireless devices came home)
4. If you have a wireless router incorporated be sure to set the security as strong as possible!
5. You should enable the "Port Scan and DoS Protection" (DoS is Denial of Service, hackers and idiots use this type of attack to keep people from connecting to a service).
6. For the Netgear you need to change the port for access to the Remote Management other wise when someone connects they will get the Netgear modem log on, the Netgear Support said anything above 6000 for the port number is good and will stop that from happening.

I strongly suggest you sit down and map out your strategy before you do your work, knowing the IP address you want the DMZ Server on, knowing the port or ports that need to be opened in the firewall, and having access to an out side network (or someone you trust) to test the inbound connection. (This will save you a couple of hours or more).

Here are the steps in case you want to setup a Digital Media Zone:

Reset the ISP connected router to default factory settings (I know this is a pain but it will clear any thing in the memory that has built up over time that will cause you problems, trust me on this one...)

Do the four steps above.

Find the DMZ setting in the router setup, the Netgear settings are on the WAN Setup page.

Enable the DMZ, add the IP address of the DMZ Server, in my case it is the Linksys router (the DMZ server is on a LAN port of the router).

Go to the firewall rules, for the Inbound Services create a rule to  add the IP address, Action (allow always), the Service name (and port - 80 in my case), which Wan Servers that the inbound connection can access (Any - in my case) and this is important: LOG - Always log inbound connections.

At this time you can try a test from out side of your router but it will probably fail.

Next is your internal router/firewall settings.

First your internal router should be at an IP either set by you or at the default of the ISP router, different makes use different IP's.

This is an example IP scheme (not my actual IP's)

ISP Netgear Router IP's:

• Inbound from ISP: 99.201.177.88
• Outbound to network from Netgear router: 10.10.0.1 (also the gateway address - which you will need)

Linksys IP's:

• Inbound from Netgear: 10.10.0.2
• Outbound from Linksys to internal network Firewall/Proxy server: 33.251.169.1

The DMZ - Digital Media Zone is on IP address 10.10.0.2 so the server would have to have an IP of 10.10.0.x (where x is 3 or above, normally pick the next digit above the router IP).

On the Linksys I had to open inbound port 80 and assign it to the Digital Media Zone server. (you will find this setting in the "Applications & Gaming" setup go to "UPnP Forwarding" there is a list of common applications and some open blocks where you can add the uncommon applications and ports.

I selected HTTP 80 and assigned it to the IP of 10.10.0.3 for the web server.

For good measure I did a power off reset on both routers then did a test.

It did work, there is access the warning page on the web server!

Many thanks to Kermit for the help with the inbound tests and the images.

Last thoughts:

If you need to store files on the internet you can 'rent' storage depending on the type of file the price will vary. Because I wanted to store videos and have a link to the video from a web page the price went up due to the usage of the files by readers of this web site. (that remains to be seen...).

You ask why not just load them up on You Tube or one of the other video sharing web sites?

Because:

1. Size, the smallest file is over 30 MB
2. Security, I am considering selling the videos on my web site, if they were on a media sharing web site the value to me would be zero...

On the other hand if you have the hardware, the time, and need the storage this little exercise may save you a lot of money over time, I know it will save me a lot. Now I wonder what my ISP will make of the increased traffic? Time will tell.

On a side note, if you look at the router setup (click here) page in the How To... section you will see how to setup your cable/DSL modem for blocking the inbound requests. With this setup I have three firewalls between my network and the internet along with an internal proxy server for network users to connect to the internet from behind the firewalls. Because two of the firewalls are firmware (built into the routers) someone from outside the cable/DSL router can not change any settings, they can not get to the setup page on the router. The second cable/DSL router is hardened even further because it does not have the DMZ server IP nor the open port of 80. the last thing is the firewall/proxy server between the home/business cable/DSL router. These three steps protect my network from attack by hackers.