Need help Arduino network security

Backgroud: I am doing an IOT with my room AC, it works fine on LAN(local area wifi). Now, I want to take it to the next level, that is control it remotely, over the internet. I have gathered the following informatio:

Option 1: use a cloud service. It take time to update. Requires alot of work. Not interested.
Option 2: use DMZ router method. This takes a little time to setup but present a cyber security threat.

Question: what exactly is the security threat if use option 2 with my esp8266 device? What if someone find my ip for the said device, what can they do with it?

Thanks.

What are you using to control the AC (Arduino/ESP/ETC).

What are you expecting to control the AC with from the internet? Will you be using something like a phone app or some other method.
There are several cloud based services that are free & not difficult to get working. Cayenne & ubidots have online dashboards so you can both monitor and control from the dashboard. Another option is to use dweet.io to pass messages/commands between devices over the internet. I use it to post sensor messages from home so I can view them at work (without exposing my home network) and also to send commands to the sensors.

I have connected Wemos D1 mini to Arduino Mega via Serial communication. I have develop an app my self on Mit app 2. The app works fine on wifi. Now, the goal is to turn the AC on or off remotely.
Before i started this project, I did some research on Cayenne and bylnk app. But decided to entertain the BUG i have of doing it myself.
Anyhow, I did setup DMZ on my router for the WEMOS. Got connected to it remotely...yay!!!...but my ip is not static so this wont work because of two reason:
1: If do not get a static ip, i would have to change the ip in my app every time my router reboots.
2: Static ips cost money every month.

Solution: As you mentioned, cloud service is way to, the downside is the data limits. I am looking to Arduino's cloud, Dweeto and MQTT. Now, have you tried any other service than dweet.io?

What other things does your Mega do beside controlling the AC as you could maybe just use the D1 and ditch the Mega altogether.
I use Dweet.io, Cayenne, ThingSpeak & ubidots. I also used to use freeboard.io but despite it’s name it became non-free so I ditched it.
How much data are you talking about? I have 15 channels on Cayenne, 11 on ThingSpeak & 10 on ubidots. I publish data to them all every 15 minutes but Cayenne can accept data every 30 seconds (not sure about the rest).
Cayenne was my favourite as it had everything I needed but then it stopped working with Apple IOS9 (both the App and Safari) so I now route everything through dweet.io and use node-red to collect the data at work.

No need of a static IP as their are web services that you can get your WAN IP from (www.ipify.org to name but one) and then just publish it to something like dweet.io for your code to pickup. But it is always better if you can avoid having an outside route to your internal network for security.

Things attached on mega: lcd shield, two DHT22 sensor, three 12v relay, L298N motor shield for variable fan speed, one 5v input pin and for future I might require 3 analog pins....pheww!!!
I am calling the wemos every 750ms so I need some that can come close to it.

Oh great.. Ipify.org...I did not know about this.
Now my question is, what if some one knows ip of my wemos, what can they do with it? Can they use my bandwidth? Can they get into my network through my wemos? Can they install a Trojan on wemos? Can they get into my laptop from wemos connected on my wifi router?

yousuf810:
Things attached on mega: lcd shield, two DHT22 sensor, three 12v relay, L298N motor shield for variable fan speed, one 5v input pin and for future I might require 3 analog pins....pheww!!!
I am calling the wemos every 750ms so I need some that can come close to it.
Do you really need to publish AC data so often? The original post said to control the room AC over WAN so let the Arduino deal with the fine details and just publish data like AC state, temperature, humidity, etc once per minute and check for WAN commands every second.

Oh great.. Ipify.org...I did not know about this.
Now my question is, what if some one knows ip of my wemos, what can they do with it? Can they use my bandwidth? Can they get into my network through my wemos? Can they install a Trojan on wemos? Can they get into my laptop from wemos connected on my wifi router?
Wemos is not so much the problem, especially if you don't have OTA updates enabled. The problem is to get to the Wemos you need to go through the router and that probably connects to everything else like the PC etc.
I personally use a RPi running mosquito & node-red as a server that collects data from several sensors and it publishes the data to the online dashboards using html & mqtt.