To shield the DMZ (demilitarized zone) and the Intranet from unauthorized attacks, you can activate an additional address check for each interface using the firewall's Intrusion Detection System (IDS).
The relevant buttons are called 'DMZ check' or 'Intranet check' and can have the values 'loose' or 'strict':
- If the button is set to 'loose', then every source address is accepted if the LANCOM is addressed directly.
- If the switch is set to 'strict', then a return route has to be explicitly available so that no IDS alarm is triggered. This is usually the case if the data packet contains a sender address to which the relevant interface can also route data. Sender addresses from other networks, to which the interface cannot route, or sender adresses from the own address range will therefore trigger an IDS-alarm.
Note: For all devices, the default is 'loose'. The default is set to 'strict'
for LANCOM 7011 VPN only, as a more precise address check has already
been used for this device.
You will find the button for activating the DMZ and Intranet address check in LANconfig in the 'TCP-IP' configuration area on the 'General' tab page.
LANconfig: TCP/IP / General
WEBconfig: LCOS-menu tree / Setup / TCP-IP