[TriLUG] [OT] using public IP addresses or private addresses for the DMZ
cgbullock at yahoo.com
Fri Jul 8 17:12:17 EDT 2011
My ultimate question is, is one way more secure than the another? My security
consultant was arguing the security of one was better than the other, however
his explanation made them both sound identical?
----- Original Message ----
From: David Black <dave at jamsoft.com>
To: Triangle Linux Users Group General Discussion <trilug at trilug.org>
Sent: Fri, July 8, 2011 4:48:21 PM
Subject: Re: [TriLUG] [OT] using public IP addresses or private addresses for
Like another person said, you can easily get more than one host behind a single
IP address (e.g. on different ports) with #2. For instance you can have one box
serve port 80 and another port 443 with just a couple firewall NAT rules.
Neither one is inherently more secure than the other though. #2 gives you more
flexibility with a few caveats.
One downside of the NAT approach is you have to watch for protocols passing IP
addresses in band that the firewall's stateful inspection/fixup doesn't or can't
know about and translate. By using #1 you avoid that. With #2 I have on
occasion had to add aliased interfaces on the internal/NATted host with the
public IP address, to trick an ill-behaving app into thinking it really was on
the public IP address (to catch self references), in addition to its usual
internal one. Messy for troubleshooting.
Nobody these days typically has public IP addresses to burn, but if you truly
do, avoiding NAT and doing straight firewalling to a DMZ can save you some
----- Original Message -----
> I spent the day meeting with a security consultant regarding our
> network. They kindly reprimanded me for the way I have my DMZ vs
> what he called
> best practices. I shouldn't be questioning their opinions since I am
> going to pay them to redo my work but I have the following question
> DMZ placement. I would like the opinion to see what a majority of
> the people
> think and why. Here are the 2 options.
> I have some public IP addresses provided by my ISPs. I have lets say
> 6 servers
> I need on my DMZ.
> Do I:
> 1. Give the servers Public IP addresses and create a DMZ interface
> on my
> 2. put the public IP addresses on my external interface, and put the
> servers in
> private IP space in a DMZ, off of a DMZ interface on the firewall.
> This message was sent to: David Black <dave at jamsoft.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web :
> TriLUG FAQ :
This message was sent to: Chris Bullock <cgbullock at yahoo.com>
To unsubscribe, send a blank message to trilug-leave at trilug.org from that
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
Unsubscribe or edit options on the web :
TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
More information about the TriLUG