[TriLUG] [OT] using public IP addresses or private addresses for the DMZ

David Black dave at jamsoft.com
Fri Jul 8 16:48:21 EDT 2011 

Like another person said, you can easily get more than one host behind a single IP address (e.g. on different ports) with #2.  For instance you can have one box serve port 80 and another port 443 with just a couple firewall NAT rules.  Neither one is inherently more secure than the other though.  #2 gives you more flexibility with a few caveats.

One downside of the NAT approach is you have to watch for protocols passing IP addresses in band that the firewall's stateful inspection/fixup doesn't or can't know about and translate.  By using #1 you avoid that.  With #2 I have on occasion had to add aliased interfaces on the internal/NATted host with the public IP address, to trick an ill-behaving app into thinking it really was on the public IP address (to catch self references), in addition to its usual internal one.  Messy for troubleshooting.

Nobody these days typically has public IP addresses to burn, but if you truly do, avoiding NAT and doing straight firewalling to a DMZ can save you some operational headaches.

Dave

----- Original Message -----
> I spent the day meeting with a security consultant regarding our
> current
> network.  They kindly reprimanded me for the way I have my DMZ vs
> what he called
> best practices.  I shouldn't be questioning their opinions since I am
> probably
> going to pay them to redo my work but I have the following question
> regarding
> DMZ placement.  I would like the opinion to see what a majority of
> the people
> think and why.  Here are the 2 options.
> 
> I have some public IP addresses provided by my ISPs.  I have lets say
> 6 servers
> I need on my DMZ.
> Do I:
> 1.  Give the servers Public IP addresses and create a DMZ interface
> on my
> firewall
> or
> 2.  put the public IP addresses on my external interface, and put the
> servers in
> private IP space in a DMZ, off of a DMZ interface on the firewall.
> 
> Chris
> 
> --
> This message was sent to: David Black <dave at jamsoft.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web	:
> http://www.trilug.org/mailman/options/trilug/dave%40jamsoft.com
> TriLUG FAQ          :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
>

More information about the TriLUG mailing list