While the inverse masquerading described in the proceeding paragraph allows to expose at least one service of each type (e.g. one Web, Mail and FTP server), this method is bound to some restrictions.
- The masquerading module must support and ’understand’ the particular server service of the ’exposed host’. For instance, several VoIP servers use proprietary, non-standard ports for extended signalling. Thus such server could be used on unmasked connections solely.
- From a security point of view, it must be considered that the ’exposed host’ resides within the LAN. When the host is under control of an attacker, it could be misused as a starting point for further attacks against machines in the local network.
Note: In order to prevent attacks from a cracked server to the local network,
some LANCOM provide a dedicated DMZ interface (LANCOM 7011 VPN) or
are able to separate their LAN ports on Ethernet level by hardware (LANCOM
821 ADSL/ISDN, LANCOM 1511 DSL, LANCOM 1521 ADSL, LANCOM 1621 ADSL/ISDN,
LANCOM 1711 VPN, LANCOM 1811 DSL and LANCOM 1821 ADSL).