Would you setup a DMZ at home?

Yes. Any incoming traffic from the internet that isn't a response to a request from a one of your computers should be suspect. There are many scenarios where your website could be compromised and that could lead to someone having access to the internal network.

Now, the unfortunate reality is that most commercial home routers don't have the capacity to setup a proper DMZ. They may allow you to set a DMZ IP that all external traffic is routed to. This doesn't allow for the separation that a DMZ should provide. To have a functional DMZ, The computers in the DMZ need to be on a different IP range or subnet than the main network and be on a different port on the router that only supports the DMZ IP Range. The end result of a properly configured DMZ is that systems in the DMZ can't access the IPs on the main network directly.

Also make sure that your router doesn't treat the DMZ as internal for the purposes of administration. So it shouldn't trust traffic from the DMZ any more than it trusts traffic from the internet, and you shouldn't be able to get to the administration interface for the router from any systems on the DMZ. This is often the problem with "two router" solutions proposed by others. The outside router still treats the systems in the DMZ as internal and trusted. This outside router could be compromised and all the internal traffic still needs to pass through it to get to the internet.


If you're already just forwarding the particular services (HTTP & SSL) that you want to make available, the only use for a DMZ would be to limit the damage if that machine were to be compromised (say, via a poorly-written cgi). Deciding wither to do this should be based on how much damage that would cause - if there are no other machines on the network anyway, it's no big deal, but if there's an unsecured internal NAS with all your personal financial records on it, you probably want an additional internal layer of security, yes.


I still would because it's relatively easy to do so. If you have two broadband routers, you can set them up in-line with different private IP address spaces (such as 192.168.100.1-254 and 192.168.200.1-254). Hang the web server off the first one, which is connected directly to the Internet. Use port forwarding to direct to your web server. Put all of your systems that will be in your private network behind the second broadband router. That way, if the web server is compromised for some reason, they will have to get through that second broadband router to get into your other systems.