[TriLUG] [OT] using public IP addresses or private addresses for the DMZ

Chris Bullock cgbullock at yahoo.com
Fri Jul 8 17:12:17 EDT 2011 

My ultimate question is, is one way more secure than the another?  My security 
consultant was arguing the security of one was better than the other, however 
his explanation made them both sound identical?  





----- Original Message ----
From: David Black <dave at jamsoft.com>
To: Triangle Linux Users Group General Discussion <trilug at trilug.org>
Sent: Fri, July 8, 2011 4:48:21 PM
Subject: Re: [TriLUG] [OT] using public IP addresses or private addresses for 
the DMZ

Like another person said, you can easily get more than one host behind a single 
IP address (e.g. on different ports) with #2.  For instance you can have one box 
serve port 80 and another port 443 with just a couple firewall NAT rules.  
Neither one is inherently more secure than the other though.  #2 gives you more 
flexibility with a few caveats.

One downside of the NAT approach is you have to watch for protocols passing IP 
addresses in band that the firewall's stateful inspection/fixup doesn't or can't 
know about and translate.  By using #1 you avoid that.  With #2 I have on 
occasion had to add aliased interfaces on the internal/NATted host with the 
public IP address, to trick an ill-behaving app into thinking it really was on 
the public IP address (to catch self references), in addition to its usual 
internal one.  Messy for troubleshooting.

Nobody these days typically has public IP addresses to burn, but if you truly 
do, avoiding NAT and doing straight firewalling to a DMZ can save you some 
operational headaches.

Dave

----- Original Message -----
> I spent the day meeting with a security consultant regarding our
> current
> network.  They kindly reprimanded me for the way I have my DMZ vs
> what he called
> best practices.  I shouldn't be questioning their opinions since I am
> probably
> going to pay them to redo my work but I have the following question
> regarding
> DMZ placement.  I would like the opinion to see what a majority of
> the people
> think and why.  Here are the 2 options.
> 
> I have some public IP addresses provided by my ISPs.  I have lets say
> 6 servers
> I need on my DMZ.
> Do I:
> 1.  Give the servers Public IP addresses and create a DMZ interface
> on my
> firewall
> or
> 2.  put the public IP addresses on my external interface, and put the
> servers in
> private IP space in a DMZ, off of a DMZ interface on the firewall.
> 
> Chris
> 
> --
> This message was sent to: David Black <dave at jamsoft.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web    :
> http://www.trilug.org/mailman/options/trilug/dave%40jamsoft.com
> TriLUG FAQ          :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
> 
-- 
This message was sent to: Chris Bullock <cgbullock at yahoo.com>
To unsubscribe, send a blank message to trilug-leave at trilug.org from that 
address.
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
Unsubscribe or edit options on the web    : 
http://www.trilug.org/mailman/options/trilug/cgbullock%40yahoo.com
TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions

More information about the TriLUG mailing list