What are the best practices for securing your Internet router and also securing your servers on a DMZ?These are my suggestions:
- Lock down administration of the router so that you can only administer it via SSH, and only from inside network.
- Know what your servers do.
- Based on #2, limit what kinds of packets can come from the Internet to your DMZ-based servers. E.g., e-mail servers should only receive e-mail-related packets (SMTP, TLS perhaps, POP3 if you allow retrievals from the Internet, etc.), web servers, web traffic (HTTP, SSL, TLS, etc.).
- Limit what kinds of packets can come from the DMZ-based servers to the Internet. It's a web server... it should not originate SMTP. It should not originate anything to the Internet. It should not have any TELNET packets coming out of it to the Internet, etc.
- Configure your firewall to likewise be unforgiving about what comes out of the servers on the DMZ destined for the inside network.