Hochschule Rhein-Waal

Rhine-Waal University of Applied Sciences

Faculty of Communication and Environment

Mr. Stefan Koenen

Typical DMZ for a middle size company

Summer Semester 2019

Communication Security

By:
Dikshant Ghimire (Matriculation Number: 24905) Information Engineering and Computer
Science (M.Sc.)

Shirish Maharjan (Matriculation Number: 24906) Information Engineering and Computer

Science (M.Sc.)

Aashish Acharya (Matriculation Number: 24538) Communication and Information Engineering

(B.Sc.)

Anup Singh Pun (Matriculation Number: 17623) Communication and Information Engineering
(B.Sc.)

Subash Khadka (Matriculation Number: 18195) Communication and Information Engineering

(B.Sc.)
 ii

Statement of Declaration

We hereby declare that the work presented here is our own work documented with the help
of all the references included in the last section of this report. All the works and material
from other sources have been given proper acknowledgment with the citations.

2nd July, 2019

Dikshant Ghimire, Shirish Maharjan, Aashish Acharya, Anup Singh Pun, Subash Khadka
 iii

Table of Contents
Statement of Declaration............................................................................................................................... ii
Table of Contents ......................................................................................................................................... iii
List of figures ................................................................................................................................................ v
1. Introduction ........................................................................................................................................... 1
1.1 Motivation ..................................................................................................................................... 2
1.2 Problem/Thread Model ....................................................................................................................... 3
1.2 Objective ....................................................................................................................................... 4
1.3 State of Art .................................................................................................................................... 4
1.4 Method/Approach ............................................................................................................................... 5
1.4.1 Work and Time Breakdown ......................................................................................................... 5
1.4.2 Solution Outline ........................................................................................................................... 6
2. Project Background ............................................................................................................................... 8
2.1 DMZ.................................................................................................................................................... 8
2.2 Virtualization ...................................................................................................................................... 9
2.3 DD-WRT........................................................................................................................................... 10
2.4 Firewall ............................................................................................................................................. 10
3. Implementation ................................................................................................................................... 11
3.1 Network Design of DMZ and Implementation ................................................................................. 11
3.2 Different Network Architecture ........................................................................................................ 13
3.3 Final Network Model ........................................................................................................................ 14
4. Tools and Technology Used ............................................................................................................... 15
4.1 Virtual Box........................................................................................................................................ 15
4.2 Network Devices ............................................................................................................................... 16
4.3 End systems ...................................................................................................................................... 18
4.4 System Requirements........................................................................................................................ 19
5. Network Configuration ....................................................................................................................... 19
5.1 External Router configuration........................................................................................................... 19
5.2 Internal Router configuration ............................................................................................................ 27
5.3 Company‟s web server (DMZ) ......................................................................................................... 31
5.4 Company‟s private database ............................................................................................................. 37
6. Lessons Learned...................................................................................................................................... 40
 iv

6. Future Improvements .......................................................................................................................... 40

8. Conclusion .............................................................................................................................................. 41
References ................................................................................................................................................... 42
 v

List of figures
Figure 1: Gantt Chart of the project work..................................................................................................... 6
Figure 2: Typical dual firewall DMZ network (Suehring, 2015) ..................................................................... 7
Figure 3: Complex DMZ network (Webb, n.d.) ............................................................................................. 8
Figure 4: Single Firewall DMZ network design (Chapple, n.d.) ................................................................... 12
Figure 5: Dual firewall DMZ network design (Chapple, n.d.). ..................................................................... 13
Figure 6: Final model of the DMZ network ................................................................................................. 15
Figure 7: Oracle Virtual Box Home Interface .............................................................................................. 16
Figure 8: Home page of the external DD-WRT router ................................................................................ 17
Figure 9: Home page of the internal DD-WRT router ................................................................................. 18
Figure 10: Bridged Network Adapter configuration of an external router ................................................. 20
Figure 11: Internal Network (DMZ) configuration of the external router .................................................. 21
Figure 12: WAN configuration of the external router ................................................................................ 22
Figure 13: LAN (DMZ) configuration of the external router ....................................................................... 23
Figure 14: External router firewall setup .................................................................................................... 24
Figure 15: External router port forwarding setup ...................................................................................... 25
Figure 16: External router DMZ setup ........................................................................................................ 25
Figure 17: External router network interfaces............................................................................................ 26
Figure 18: WAN configuration of the internal router ................................................................................. 28
Figure 19: LAN configuration of the internal router ................................................................................... 29
Figure 20: Internal router firewall configuration ........................................................................................ 30
Figure 21: Internal router network interfaces configuration ..................................................................... 31
Figure 22: Company web server network adapter configuration............................................................... 32
Figure 23: Network Adapter configuration of the company web server.................................................... 33
Figure 24: Network interfaces of the company web server ....................................................................... 35
Figure 25: Company Web page access from the external network ............................................................ 36
Figure 26: Company web page access from an internal private computer ................................................ 37
Figure 27: Network adapter configuration of the company database server ............................................ 38
Figure 28: Postgres database as the company database inside Ubuntu server ......................................... 39
 1

1. Introduction

This report provides the information on typical Demilitarized Zone (DMZ) setup for a medium
size company. The project starts with the need for a secure network connection within a
company from the internet (external network) and ends with a solution provided by the DMZ.
The introduction chapter is divided into several sub-chapters to provide the required amount of
knowledge on topics such as motivation for this project, problems, objectives, state of art, and
approach which contains work break down and solution for the given topic. The report explains
the use of open source firmware known as DD-WRT which is used as a firewall in our project
and helps to configure DMZ. DMZ is the central attraction of this report.

Before diving into DMZ, let us have a brief knowledge of network security. According to
Stewart (2014), network security is the management of unwanted communication interferences
from intruders with the motive to harm and distort an organization‟s private network. Network
security supports different activities which include monitoring for intrusion, blocking
unauthorized transmissions, monitoring protocol errors and applying the necessary solutions as
quickly as possible. Network security is all about supporting an organization‟s
network/communication goals and mission to ensure network integrity by encouraging only
desirable activities within the network. Computer networking area has changed and evolved
faster than ever imagined. The shift of wired technology towards wireless networking is a
realistic and most suitable option for almost all companies around the globe. With the
advancement of wireless technology, hackers are more active and proficient towards stealing
data from different networks. Due to this, most of the companies invest their money on security
and safety of their network/communication which reflects how much data values for an
organization. The network security breaches are the company‟s biggest threat which can even
lead a company to bankruptcy. Strong network security gives a sense of protection and relief so
that the company can focus on its production area. The cost-effectiveness is another aspect of
network security. It is obvious that strong network security costs more but the network security
must be implemented keeping in mind the organization‟s size and mission which reflects the
level security required (Stewart, 2014).
 2

In simple term, DMZ is a special zone in the network which helps to segregate devices such as
computers and servers placed on the opposite side of the firewalls. According to Flynn (2006),
the word DMZ or demilitarized zone is originated from the special neutral geographic area which
was set up between two nations, North Korea and South Korea under the act of United Nations
„police action‟ in the early 1950s. Similarly, DMZ in computer network means a neutral area of a
company which is placed between the company‟s private network and the external public
network. This is done for the safety of the company‟s private network. DMZ allows outsiders to
access only those sever which are in DMZ and restricts all other connections to enter the private
network of the company (Flynn, 2006).

1.1 Motivation

In the modern era of technology, the computer network is the main concern of any company.
Every company provides several services to its customers/outsiders and at the same time to its
internal private company‟s users too. This has become the vulnerable part of the network
communication because the company has to share its resources with outsiders as well as with its
internal private users. The computer hosts that provide end-user services such as web server and
email server are used as the breach in any organization. These servers are responsible for both
outsiders as well as internal users which lead to the exposing company‟s private network to
outsiders. In the absence of DMZ, these private networks of the company are at high risk. With
the help of DMZ, these servers are placed inside the company network but within a sub-network
which does not allow any intruders to pass through it reach the private network of the company.
This means that the servers are placed in between the external firewall and the private network of
the company. DMZ allows communication within the devices located in DMZ and to the
external network but limited connectivity to the other hosts that are placed inside the internal
network. This makes the servers in the DMZ to serve both the external as well as internal users.
The firewall is set up to monitor the network traffic and protect against unauthorized access.
Although there are several levels of security such as operating system level security and other
third-party software to secure the private computers, due to continuous development in the
technology field, this level of security is easy to crack. Once the intruder gets into the private
network, any level of security on the operating system level becomes weak and can be cracked.
 3

This can lead to loss of data and eventually loss of money. Therefore, the first line of defense is
to implement DMZ and protect the network which eventually protects the internal private
computers and servers.

1.2 Problem/Thread Model

Setting up DMZ for a medium size company is a crucial task which involves different
activities/implementations. The main task is setting up the router/firewall which involves several
small implementations which need to be tackled and implemented properly. The following are
the main concerns for the project.

 The project required a platform for its implementation. In order to set up a middle size
company, a virtual setup was required. This was achieved using oracle virtual box where
different computers, servers, and firewall/routers were installed and configured.
 Design a network architecture which includes communication among an external internet,
a DMZ, and a private network.
 Different types of tools and technology required to set up the network. In our case,
bridged adapter, internal network, and different servers.
 Choosing which router/firmware to implement. In our case, the DD-WRT open source
router is used as a firewall.
 The compatibility of devices with each other. Different operating systems are connected
with each other. In our case, the latest Windows 10, Ubuntu and the old Windows XP is
used.
 Using a single firewall DMZ and double firewall DMZ. In our case, double firewall DMZ
is implemented.
 Different firewall or same firewall in the external and internal network. In our case, both
are the same, a DD-WRT firmware.
 Configure the open source routers to define WAN and LAN. In our case, each router is
configured individually with different WAN and LAN configurations.
 Decide on the type of operating system to implement at different stages of network. In
our case, for server purpose, Linux is used and for host computers, Windows is used.
 4

 Which type of servers to implement? In our case, the Ubuntu server edition is used with
apache server running on it.
 Setting up the database server. In our case, the Postgres database is used as the
company‟s private database employed inside the Ubuntu server.
 How to secure private computers of the company?
 How to connect to company web server from the external network and internal network
using a different IP address?

1.2 Objective

The main objective of setting up DMZ for a company is to add an extra but much-needed layer
of security for an organization‟s LAN. The internal host computers of a company are always in
high risk of network abuses. DMZ separates these hosts by providing a segregation layer.
Segregation is important in network security. The valuable data, application or servers need to be
separated this is because if the anything goes wrong in the network then the separated part of the
network remains secure. DMZ network helps to separate and place the intruder‟s targeted
systems such as database server away from the internal network. A company has several
sensitive information/databases which need to be protected within the company network
perimeter. At the same time, the company also provides services to the public in the form of the
web server and email server which gets traffic from internet users. Due to this, the publicly
accessible servers and the company‟s valuable information remain in the same network. This
leads to the introduction of the DMZ network which helps to place both server and information
on the same network where the external internet can access only the servers not the company‟s
database.

1.3 State of Art

According to Vile (2019), server virtualization has grabbed its place over the following few
years in the field of technology. The old systems which were used back in time are still in the
practice in the upgraded form or another way around. Even though there have been upgrades and
development in the field of virtualization, many old VMware still defines their essence.
 5

However, the problems arise when trying to build on those past inventions and investments to
create an environment with the ability to run dynamic workloads. The technology has moved
toward fast developing hyper-scale applications which require secure distributed access. This
highlights a need for a cloud base application with the systems deployed on our own
infrastructure. The main point is to either think over the extension of old virtualization
environments or to develop a platform designed to support hybrid deployment model (Vile,
2019).

According to Rash (2019), the DMZ is slowing down in terms of deployment. This is because of
the introduction of cloud technology with numerous business functions is taking over the DMZ.
In case of web server, now we can launch a web server, and get protection from the cloud„s
firewall. This means we don‟t need a separate network configuration for our internal network as
everything is handled perfectly by the cloud. Along with that, an extra function which DMZ has
is also available in the cloud. Despite these cases, DMZ is a general network security measure.
(Rash, 2019).

1.4 Method/Approach

DMZ is the first line of defense for a company‟s internal network, therefore, the technique
should be strong enough to tackle the intruders and flexible enough to communicate with internal
hosts and external network. There are several ways to approach the DMZ setup. As it is for a
medium size company so here we will consider only two different levels of DMZ setup. The first
one is Single firewall DMZ and another one is Double firewall DMZ. For this project, the double
firewall DMZ is implemented. The whole setup is performed on a virtual box and all servers and
host computer are installed in virtual box. The detail about the DMZ and the virtual box is
explained in the DMZ and Virtualization section of this report.

1.4.1 Work and Time Breakdown

Time is an important factor when starting a project. It is better to divide work into small sub-
tasks so that we can track each work on the basis of the time required to complete. All tasks are
equally important but some require more time and some less. Gantt chart is shown below which
helps to understand the work and time division more accurately. In any project, most of the time
 6

is spend on documentation which is a good sign because it leads to better report analysis. The
Gantt Chart is shown in Figure 1.

Figure 1: Gantt Chart of the project work

1.4.2 Solution Outline

The solution is achieved using different tools and technology. The solution started with the
platform where all the host computers, servers and firewall reside. This platform was a virtual
box which effectively handles all operating systems and network connection among them. The
main task was the setup of the open source DD-WRT router (firewall). As this was double
firewall setup so two DD-WRT routers were required. The first firewall was set up which was
connected to the external world from the router interface and the inner interface was connected
to the internal sub-network of company i.e. DMZ. The first router was configured manually for
WAN and LAN setup using the router firmware web login page. Similarly, the second router was
also configured manually for WAN and LAN. The web server which was Ubuntu server edition
with apache server running on it was installed in between the two routers. This server was
configured as DMZ using the first router setting. The first firewall also called the perimeter
 7

firewall is implemented to allow external traffic destined to the DMZ only. The second or
internal firewall allows traffic only from the DMZ to the internal network. This is considered
more secure since two devices would need to be compromised before an attacker could access
the internal LAN. The IP address to connect to the web server in DMZ is different for the
internal users and the external users. These both are handled by the two firewalls which secure
and guide the connection up to the web server. Figure 2 by Suehring (2015) represents the
typical flow of network setup used in our project which is a double firewall DMZ network.

Figure 2: Typical dual firewall DMZ network (Suehring, 2015)

 8

2. Project Background
2.1 DMZ

According to Tetz (n.d.), in the field of computer networks, DMZ is a specific area which is
dedicated to servers that people from the outside world need access to. The word DMZ comes
from the military zone, where a DMZ is a buffer zone between two enemies and both parties
agree to stay out of that zone. The DMZ zone contains servers that are part of the company and
are within the company network but not inside the internal company network. This does not
mean the DMZ is totally unprotected rather they are behind the firewall which is configured
according to the need of the company. Some companies even have a separate network segment
for servers which are protected by the firewall. This is also a kind of DMZ implementation (Tetz,
n.d.).

The most common ways of designing a DMZ network is with one or two firewalls. Most of the
modern companies rely on double firewall DMZ. These common ways of designing can be
further expanded to set up different complex architectures according to the demand for network
security. One of the examples of complex DMZ setup is shown in Figure 3 (Webb, n.d.).

Figure 3: Complex DMZ network (Webb, n.d.)

 9

2.2 Virtualization

In simple terms, virtualization is the technology which creates different virtual resources such as
network, servers and operating systems. According to Wolf and Halter (2005), virtualization is
the act of abstracting the physical limits of the technology. Servers and workstations don‟t need
dedicated physical hardware like motherboard, and processor anymore to operate as an
independent system. This is an example of physical abstraction (Wolf and Halter, 2005).
Virtualization's primary aim is to handle the workloads by transforming traditional computing
completely to make them more scalable. For decades virtualization has become a component of
the technology field and can now be used for numerous system layers, comprising virtualization
of operating systems, virtualization of hardware levels and server virtualization. Virtualization at
the operating system is one of the most common ways of virtualization. Multiple operating
systems can be run on the same hardware during the virtualization of operating systems. If
another/guest operating system is installed on the main/host operating system using virtualization
then it is called a virtual machine.

Different people have different reasons for using virtual machines. For example, general
computer users use virtualization for running/testing different operating systems without having
the worry of dedicated hardware and software. With virtualization, users can switch with
different operating systems running at the same time on the host computer with rebooting any
running operating system. Similarly, for the network administration section, virtualization is used
run the different operating system but the most important function for network administration is
that it allows the segmentation of a large system into different small sections which enables the
different users and applications to use the server efficiently and as per the need. It also makes it
possible to isolate programs running on a virtual machine from the processes running in another
virtual machine on the same host machine. For our project, Oracle Virtual Box was used which is
a cross-platform virtualization software. With the help of virtual box, we were able to install and
run all the servers, firewalls and different operating systems at the same time with
interconnection among each of them. The virtual box not only helped us to run different
operating systems, servers and firewalls but also helped to connect them with each other with
correct configuration which was available through network settings where virtual adapters were
enabled according to the requirements of the network security.
 10

2.3 DD-WRT

According to the official website of DD-WRT(dd-wrt.com), DD-WRT is an Open Source

firmware based on Linux operating system appropriate for a wide range of WLAN routers and
embedded systems. The primary focus is on making the handling as easy as possible while at the
same moment providing numerous functionalities in the corresponding hardware platform.
The setup or the configuration of the router is simple and easy because of the structured GUI and
the setup page is operated by a web login page. This makes it much easier even for a non-
technical person to configure it. The configuration steps are simple and easy to understand.
Simple setup, speed, and stability are some of the focus areas of the DD-WRT router. It has a
huge user and developer community which makes it well documented and operated systems.
This also helps to detect a potential breach in the router and correct it in a quick time as possible.
Due to a well-guided documentation and user forums, DD-WRT is well appreciated by users
around the globe (Dd-wrt.com., n.d.).

In our case, two DD-WRT routers are used at two different interfaces. One deals with the
external users and direct traffic to the DMZ network while another one helps in the
communication of the internal private network. In our case, we used the open source firmware
which was a .iso file of the DD-WRT router and installed them on the virtual box. We need them
as a firewall in the system so we didn‟t require any hardware router instead just the software in
the form of .iso firmware. Installing .iso file was a challenging task as we required a third party
tool in the windows platform to write the .iso file on the virtual disk.

2.4 Firewall

In simple term, a firewall is a firmware that imposes a bundle of rules which decides which data
packets are allowed within the given network. According to EC-Council (2011), a firewall is a
software on the network gateway server which helps to secure the private network from
intruders. Generally, a firewall is set up between the public and private networks to form a
reliable and secure connection. But sometimes, the firewall is also required inside a company in
order to secure different departments within the company (EC-Council, 2011).
 11

Firewalls applications can be seen in numerous network devices which need to filter traffics and
restrict suspicious data packets traveling mainly over the public network which can have a severe
impact of the private network of a company. In our case, the DD-WRT router is used to
configure the firewall for the internal network of the company.

3. Implementation

The implementation section describes all the different network design patterns, network parts
and final network model used for the project. As we have already discussed that there are
different approaches to implementing DMZ but we wanted to come up with something that needs
to cope up with a middle size company security and flexibility. The sub-sections of this chapter
describe the single and the double firewall DMZ setup.

3.1 Network Design of DMZ and Implementation

The designs that we started with was single firewall design and then upgraded to double firewall
DMZ as the security demand and to eliminate the unknown threats toward the company‟s private
network. The two different design of DMZ which defines the level of security required is
described as follows:

 Single Firewall
This is a less secure network design compared to a double firewall design. As the name
suggests, it has only one firewall placed in front of the DMZ and the private network.
This means that the DMZ with web servers and private network are controlled by just one
firewall. This leads to the warning that network breach can occur and when the intruders
get past the firewall then they can access not only web server but also the company‟s
private network. The front interface of the firewall is connected for WAN (Wide Area
Network) through which the internet is connected and the back interface is connected to
the internal network of the company which forms a DMZ as well as the private network.
 12

The example of a single firewall DMZ network design is shown in Figure 4 (Chapple,
n.d.)

Figure 4: Single Firewall DMZ network design (Chapple, n.d.)

 Double Firewall

The demand of network to strengthen the security double firewall design was
implemented. In this design, two firewalls are used so that the intruders cannot get past to
the internal network of the company. The first firewall is placed in front of the DMZ.
This is the first line of the network which external users interact with. In the first firewall,
the front interface is connected to the internet for WAN connectivity. Similarly, the back
interface is connected to the DMZ where the servers are placed. Likewise, in the second
firewall, the back interface is connected to the private network of the company i.e. Local
Area Network (LAN, Intranet). This design creates backup security for the private
network. In case if the intruders get past the first firewall then they are blocked by the
second firewall which restricts the communication with the private network (LAN,
intranet). The first firewall configures all the rules to forward the traffic from external
users to only DMZ. Similarly, the second firewall is configured for internal private
 13

network only. The example of dual firewall DMZ network design is shown in Figure 5
(Chapple, n.d.).

Figure 5: Dual firewall DMZ network design (Chapple, n.d.).

3.2 Different Network Architecture

While setting up the design for the DMZ, different network parts were encountered and they all
played an important role to secure the network. The network was divided into different parts so
that one it is easier to understand and interpret which part of the network is used for what
purpose. This implementation comes from the double firewall implementation of DMZ. There
were mainly three different networks that played their part for the proper functioning of the
whole network. These divisions also come from the fact that how well a company can cope up
with the compatibility and efficiency of the network system. The need of external users to access
the web server, as well as the internal users to access the web server, to restrict the intruders till
DMZ and to make the private network secure were some of the factors that lead to the division.
The following are the network divisions performed:

● External Network (WAN)

 14

External Network means the network which is configured to be used by the external
users. The WAN is configured so that all the users outside of the company can access the
company web server which is in DMZ zone from outside. The external users also include
the intruders. The external network has been configured to maintain external traffic and
respond to the external requests by directing toward the DMZ.

● Sub-network (DMZ)

In this case, the sub-network is basically the DMZ. The entire request coming from the
external network reaches the DMZ. The sub-network is configured in such a way that all
the requests from the external network are served by DMZ and does not get past that
network further. Services like web servers and email servers are placed in this network
which can be accessed by the external users even being inside the company internal
network.

● Internal Network (LAN Intranet)

The last network is the company‟s internal private network (LAN, intranet). This network
plays the role of connecting only devices within the internal network. All the incoming
traffics from the external network is blocked to the internal network. Similarly, the
outgoing connection from the internal network to DMZ as well as external internet is
allowed. The main aim of the internal network is to make the private network of the
company secure and free from the reach of intruders. It does not provide any service to
the outsiders. In our case, the internal network has a company‟s database server which is
only available for the internal network users.

3.3 Final Network Model

In order to visualize the final network model that we implemented, a model was created using a
diagram with the help of online drawing tool at www.draw.io as shown in Figure 6. The main
 15

motive to draw this model was to let the readers to better understand the topic and how each of
the components like servers, routers, and host pc were placed and utilized.

Figure 6: Final model of the DMZ network

4. Tools and Technology Used

4.1 Virtual Box

A virtual box is simply a virtualization tool. The one which is used in this project is Oracle
virtual box 6.0. There are different other software including VMware. But due to the ease of use
 16

and better GUI for handling network settings, Oracle virtual box was used. The virtual box
provided the main platform for all the other devices such as servers, routers, and host computers.
The main concern was the ease of using and configuring different setups which were handled
efficiently by the Oracle virtual box. Figure 7 is the main interface of the Oracle virtual box
where different machines are installed virtually.

Figure 7: Oracle Virtual Box Home Interface

4.2 Network Devices

Network Devices are the backbone of this setup. Network devices were used to create the
firewall and configure networks for WAN and LAN. The only network device used was the DD-
WRT router (firmware). The detailed explanation has been already presented in the earlier
 17

section of this report. Network devices basically provide a communication and interaction
channel between different devices.

● DD-WRT routers

It is one of the most used and trusted free and open source routers which fit perfectly for this
project setup. There are other routers too like „pfsense‟ but due to the popularity, easy GUI
interface and easy configuration, DD-WRT routers were used. It is said that it‟s better to use two
different companies router when installing double firewall DMZ so that same breach in one
firewall does not happen with the second firewall. In our case, both the firewalls are DD-WRT
with 32-bit Linux operating system. The home pages of the external and internal DD-WRT
router are shown in Figure 8 and Figure 9 respectively. These pages were used for the
configuration of the network.

Figure 8: Home page of the external DD-WRT router

 18

Figure 9: Home page of the internal DD-WRT router

4.3 End systems

These are the main devices which are used for receiving or providing the services. In our case,
different operating systems were used for different tasks as per the requirement. The purpose of
selecting Linux for servers and Windows for host computers was because the server needs to be
fast and secure and Linux fast and more secured compared to Windows. Similarly, the ease of
use, better GUI and user-friendly are some of the reasons to select Windows for the host
computers. All of them are described below:
 19

● Ubuntu Server implemented as Company Web server (Installed Linux 18.04.2

LTS version, 64 bit).

● Ubuntu server implemented as Company Database Server (Installed Linux

18.04.2 LTS version, 64 bit).

● Microsoft Windows implemented as a Company Host computer (Installed

Microsoft Windows XP Professional 2003, 64 bit)

4.4 System Requirements

These are those requirements of the computer/laptop that were required to carry out this project.

● Hardware Requirements:
o Processor: Intel(R) Core(TM) i5-8250U CPU @1.60GHz 1.80 GHZ
o Installed memory (RAM): 4.00 GB (3.65 usable)
o Hard disk Memory: Total space 700 GB where around 18 GB used

● Software Requirements:
o Operating System: Windows 10 Home 64-bit

5. Network Configuration

The whole setup was based on the correct network configuration. Different network parameters
were set and different WANs and LANs were configured. The main task was to understand and
implement the correct IP address to the correct port and interface. The main configuration was
done for both the routers (internal and external), and the database servers (web server and
database server).

5.1 External Router configuration

The first router was configured as the external router. This is configured using the web login
page of the router using the router‟s IP address which can be found using the command “ifconfig
br0” inside the router‟s terminal. All the parameters such as WAN, Default gateway, LAN,
 20

DMZ, etc. were configured. The router has two network interfaces which mean two adapters
were used for the setup of the front and back interface of the router. These two adapters are:

 Bridged Adapter (Wireless Adapter)

Using the Bridged Adapter, the external router gets the internet from the external network. It
plays the role of incoming and outgoing traffic from and to the internet. The bridged adapter
connects the virtual machine to the network on the host system. Figure 10 shows the
configuration of an external network for the first network adapter.

Figure 10: Bridged Network Adapter configuration of an external router

 Internal Network (DMZ)

The internal Network (DMZ) is the second adapter for the external router. This adapter is
implemented to hold all the web servers which need to be exposed to the outside world. This is
 21

the main network area where the DMZ is implemented. Figure 11 shows the network
configuration of the second network adapter of the external router.

Figure 11: Internal Network (DMZ) configuration of the external router

Figure 12 is the WAN configuration of the external DD-WRT router using the router‟s web login
page. This can be summed up as:

o Static IP address: 192.168.0.11

o Subnet mask: 255.255.255.0
o Default Gateway: 192.168.0.1
o Static DNS 2: 8.8.8.8 (Google DNS)
 22

Figure 12: WAN configuration of the external router

Similarly, Figure 13 is the LAN configuration of the external DD-WRT router using the router‟s
web login page. This can be summed up as:

o Static IP address: 192.168.1.1

o Subnet mask: 255.255.255.0
o Maximum DHCP users 50
 23

Figure 13: LAN (DMZ) configuration of the external router

Figure 14, 15 and 16 are the configuration of external router for external network firewall, port
forwarding, and DMZ configuration respectively. These all configurations can be summed up as:

● Blocked anonymous users using the firewall setting in figure 1.

● The company web server is configured to be exposed to the external user by applying the
DMZ settings for the given IP address as shown in figure 3.
 24

● Necessary Port forwarding protocol for applications like HTTP, FTP, and https is set up
in order to access company web server as shown in Figure 2.
● Finally, the external network is set up to direct requests on the external network to the
company web server which is a DMZ.

Figure 14: External router firewall setup

 25

Figure 15: External router port forwarding setup

Figure 16: External router DMZ setup

 26

The configurations applied on the router web page can be seen in the internal router‟s terminal
using the command „ifconfig‟ which displays the entire network interfaces and how they are
configured as shown in Figure 17.

Figure 17: External router network interfaces

 27

5.2 Internal Router configuration

After the first router was configured, the internal router was configured that too manually using
the same web login page of the router but with the different IP address of the router. The same
process was repeated as done for the external router but this time with different WAN, LAN, and
no DMZ because it was the private network of the company which needs no incoming access
from outside. Same as an external router, the internal router was configured with two different
network adapters. The only difference was the second adapter which was Internal Network but
not DMZ, it was LAN/Intranet. The two used adapters were Bridged Adapter and the Internal
Network (LAN/intranet).

Figure 18 is the WAN configuration of the internal DD-WRT router using the router‟s web login
page. This can be summed up as:

o Static IP address: 192.168.1.12

o Subnet mask: 255.255.255.0
o Default Gateway: 192.168.1.1
o Static DNS 1: 8.8.8.8 (Google DNS)
 28

Figure 18: WAN configuration of the internal router

Similarly, Figure 19 is the LAN configuration of the internal DD-WRT router using the router‟s
web login page. This can be summed up as:

o Static IP address: 192.168.2.1

o Subnet mask: 255.255.255.0
o Maximum DHCP users 50
 29

Figure 19: LAN configuration of the internal router

The internal router is also configured for the firewall settings. Figure 20 shows the internal router
firewall configuration which can be summed up as:

o The external traffics from the internet are blocked towards the internal private network of
the company.
o The internal network can access the DMZ.
o The internal network can access the internet.
 30

Figure 20: Internal router firewall configuration

The configuration setup in the web page of the internal router can be checked in the terminal of
the internal DD-WRT router using the command „ifconfig‟ as shown in Figure 21.
 31

Figure 21: Internal router network interfaces configuration

5.3 Company’s web server (DMZ)

Both the routers were configured properly, and then the task was to configure the company web
server which was in the DMZ. The DMZ was set up with two adapters. The first adapter was the
internal network (DMZ) for receiving the incoming requests for the web server from the external
 32

network and the second adapter was the internal network (LAN/intranet) for connection with the
private computers of the internal network. By setting up this way, we were able to connect to the
web server from outside the network as well as from the internal private network using different
IP addresses. The network settings of the company web server are shown in Figure 22 and 23,
which shows the connection of the first network adapter into the DMZ network and second
adapter into the private internal network.

Figure 22: Company web server network adapter configuration

 33

Figure 23: Network Adapter configuration of the company web server

Once the network adapters were configured then the network interfaces/ ethernet ports of the
server needed to be up with IP address, netmask and default gateway. This was done manually
using the following commands in the terminal of the Ubuntu server of the company web server.
The network interface enp0s3 was connected to the internal DMZ network whereas, the next
network interface enp0s8 is connected to the intranet (an internal private network of the
company). The two interfaces enp0s3 and enp0s8 were configured in the following way.

For enp0s3 the following commands were used:

● sudo ifconfig enp0s3 up

 34

● sudo ifconfig enp0s3 192.168.1.105 netmask 255.255.255.0

● sudo route add default gw 192.168.1.1 enp0s3

Similarly, for enpos8, the following commands were used:

● sudo ifconfig enp0s8 up

● sudo ifconfig enp0s8 192.168.2.105 netmask 255.255.255.0
● sudo route add default gw 192.168.2.1 enp0s8
The changed configuration was checked using the „ifconfig‟ command on the terminal of Ubuntu
web server which is shown in Figure 24. This can be summed up as:

For enp0s3:

● Static IP Address 192.168.1.105

● Broadcast Address 192.168.1.255
● Subnet Mask 255.255.255.0
● Default Gateway 192.168.1.1

For enp0s8:

● Static IP Address 192.168.2.105 (internal users use this IP address to connect to the web
server)
● Broadcast Address 192.168.2.255
● Subnet Mask 255.255.255.0
● Default Gateway 192.168.2.1
 35

Figure 24: Network interfaces of the company web server

For this project, Apache web server was implemented as the company web server which was
deployed inside the DMZ Ubuntu server. The default apache page was changed with the design
that looks like a company web page for this project. For this, the main .html page located at
~/var/www/html/index.html was configured with some basic HTML and CSS skills. Figure 25
shows the company web page accessible from the external user using the IP address
 36

192.168.0.11. Whereas, the same page is accessed from the internal private company users using
the IP address 192.168.2.105 which is shown in Figure 26.

Figure 25: Company Web page access from the external network
 37

Figure 26: Company web page access from an internal private computer

5.4 Company’s private database

The last step was to set up the database server for the company in the private network. The
database server was configured with only one adapter for communication with the internal
network. The database server was configured with an Internal Network (LAN/intranet) adapter.
Postgres database was used in this case. Figure 27 is the network adapter configuration of the
company database server where the network adapter is connected to the internal private network.
 38

Figure 27: Network adapter configuration of the company database server

After the configuration of the network adapter, the network interface/ Ethernet port needed to be
up with static IP address, netmask and default gateway which were done earlier for the Ubuntu
web server. The setup is done in such a way that only the internal private users of the company
can only access the Postgres database server using the IP address 192.168.2.117. A simple
database was set up using a Postgres database in which inside a Postgres database, a simple
software table was created with few attributes which can be seen in Figure 28. The database
server configuration can be summed up as:

● Static IP Address 192.168.2.117

 39

● Broadcast Address 192.168.2.255

● Subnet Mask 255.255.255.0
● Default Gateway 192.168.2.1

Figure 28: Postgres database as the company database inside Ubuntu server
 40

6. Lessons Learned

The project started with the research and brainstorming sessions and ended with the report
writing. Throughout the project, each and every stage was a lesson to be learned. We all students
were from two different faculties. Half of the students were from Bachelor‟s communication and
information engineering and rest from master‟s information engineering and computer science.
Even though we all students were related to the technical field, this was a new challenge and
learning by doing experience for all of us. At the beginning of this project, we were clueless
about the term DMZ and its related stuff but as we researched and held a meeting and conducted
brainstorming sessions, we became more motivated and inclined toward the project goal. We
adopted the process of learning by doing. The networking skills are definitely improved as we
were not much inclined toward network security. Along with educational lessons, we learned
team building and group working strategies which will obviously help us in our other future
project works.

The projects are always a learning experience because of the practical works related to it.
Different terms like DD-WRT were new for us. Though we had surface knowledge of terms like
virtual box, Linux, IP addresses, etc., now we have gained much more knowledge to explain
other people about those terms. All the tasks carried out were of professional level which gives
us the satisfaction that within this short span of project time, we have been able to learn so much
through this topic. We got the chance to look the network security from the close angle which
educated us about the dangers and potential vulnerabilities that can happen in the network.

6. Future Improvements

The project we have implemented still lacks different functions which will obviously make the
system stronger, flexible and efficient. These future improvements are seen as the chance to
make the system more stable and secure. Some of the future improvements which we felt can be
done are listed below:

 Setup a standard web server with a domain on the DMZ so that anyone can connect to it.
 41

 Setup an email server on the DMZ so that user can have the company‟s email address.
 Interconnect more routers to secure the internal private network.
 Using different routers of different companies as the same router have the same breach
which intruders take advantage of.

8. Conclusion

DMZ provides an extra layer of security to the private network where a server needs to be
exposed to the external world. Security is always the main concern while dealing with the
external network. Intruders are always in the search of breaches which can lead to access to a
company or individual data. Having double firewall DMZ, best fits the security policy of a
middle size company. Routers also play an important role in network security. All the network
traffics are handled by the router/firewall which makes us aware of the fact that the router breach
can lead to a whole network breach. This is the reason that having different routers of different
manufacturing companies can configure network security more securely. Virtual box is the best
platform for such projects as they provide a platform to interact with all the servers, hosting
computers and routers to achieve a single goal.

This report is the reflection of the project typical setup of DMZ keeping in mind the middle size
company. As this setup is done in the virtual box which was the best platform option for such
visualization because we wanted a simple to use and at the same time efficient enough to
integrate and run multiple operating systems at the same time. The Linux operating system is fast
and secure compared to Windows which was the main reasons for choosing the Linux as servers.
The Linux was easy to set up but needed the knowledge of terminal commands which includes
network commands. Security is crucial for any company but the setup they require depends upon
the size and policy of the company. Some companies might be happy with single firewall DMZ
while others need dual firewall DMZ with complex architecture.
 42

References

Chapple, M. (n.d.). Choosing the right firewall topology: Bastion host, screened subnet or dual
firewalls. [online] SearchSecurity. Available at:
https://searchsecurity.techtarget.com/tip/Choosing-the-right-firewall-topology-Bastion-host-
screened-subnet-or-dual-firewalls [Accessed 4 Jul. 2019].

Dd-wrt.com. (n.d.). DD-WRT » About. [online] Available at: https://dd-wrt.com/about/

[Accessed 3 Jul. 2019].

EC-Council (2011). Perimeter defense mechanisms. Clifton Park, NY: Course Technology
Cengage Learning, p.2-2.

Flynn, H. (2006). Designing and building enterprise DMZs. Rockland, MA: Syngress Pub., p.12.

Rash, W. (2019). Requiem for the DMZ. [online] PCMag UK. Available at:
https://uk.pcmag.com/feature/119655/requiem-for-the-dmz [Accessed 4 Jul. 2019].

Stewart, J. (2014). Network security, firewalls, and VPNs. 2nd ed. Jones Bartlett Learning, p.4.

Suehring, S. (2015). Linux firewalls. 4th ed. Upper Saddle River, NJ: Addison-Wesley, p.181.

Tetz, E. (n.d.). Network Firewalls: Defending Data with the DMZ - dummies. [online] dummies.
Available at: https://www.dummies.com/programming/networking/cisco/network-firewalls-
defending-data-with-the-dmz/ [Accessed 3 Jul. 2019].

Vile, D. (2019). What do our IT pro readers make of virtualization in 2019? Here are the poll
results, plus our insight and tips. [online] Theregister.co.uk. Available at:
https://www.theregister.co.uk/2019/05/24/economics_virtualization_platforms/ [Accessed 4 Jul.
2019].

Webb, J. (n.d.). Network Demilitarized Zone (DMZ). [online] Infosecwriters.com. Available at:
http://www.infosecwriters.com/Papers/jwebb_network_demilitarized_zone.pdf [Accessed 3 Jul.
2019].

Wolf, C. and Halter, E. (2005). Virtualization. Berkeley, CA: Apress, p.23.