TRENDnet TEW-812DRU User Manual page 48

"outside the firewall". Anyone considering using a DMZ host should also consider running a
firewall on that DMZ host system to provide additional protection.
Packets received by the DMZ host have their IP addresses translated from the WAN-side IP
address of the router to the LAN-side IP address of the DMZ host. However, port numbers are
not translated; so applications on the DMZ host can depend on specific port numbers.
The DMZ capability is just one of several means for allowing incoming requests that might
appear unsolicited to the NAT. In general, the DMZ host should be used only if there are no
other alternatives, because it is much more exposed to cyberattacks than any other system on
the LAN. Thought should be given to using other configurations instead: a virtual server, a port
forwarding rule, or a port trigger. Virtual servers open one port for incoming sessions bound for
a specific application (and also allow port redirection and the use of ALGs).
Port forwarding is rather like a selective DMZ, where incoming traffic targeted at one or more
ports is forwarded to a specific LAN host (thereby not exposing as many ports as a DMZ host).
Port triggering is a special form of port forwarding, which is activated by outgoing traffic, and for
which ports are only forwarded while the trigger is active.
Few applications truly require the use of the DMZ host. Following are examples of when a
DMZ host might be required:
‧ A host needs to support several applications that might use overlapping ingress ports such
that two port forwarding rules cannot be used because they would potentially be in conflict.
‧ To handle incoming connections that use a protocol other than ICMP, TCP, UDP, and IGMP
(also GRE and ESP, when these protocols are enabled by the PPTP and IPSec
Enable DMZ
Putting a computer in the DMZ may expose that computer to a variety of security risks. Use of
this option is only recommended as a last resort.
47