[TriLUG] [OT] using public IP addresses or private addresses for the DMZ

David Black dave at jamsoft.com
Fri Jul 8 22:16:49 EDT 2011


A properly configured, modern stateful firewall only allows what you want and drops everything else.  NAT alone can certainly be better than nothing, but you're asking about the combination.

Dave

----- Original Message -----
> My ultimate question is, is one way more secure than the another?  My
> security
> consultant was arguing the security of one was better than the other,
> however
> his explanation made them both sound identical?
> 
> 
> 
> 
> 
> ----- Original Message ----
> From: David Black <dave at jamsoft.com>
> To: Triangle Linux Users Group General Discussion <trilug at trilug.org>
> Sent: Fri, July 8, 2011 4:48:21 PM
> Subject: Re: [TriLUG] [OT] using public IP addresses or private
> addresses for
> the DMZ
> 
> Like another person said, you can easily get more than one host
> behind a single
> IP address (e.g. on different ports) with #2.  For instance you can
> have one box
> serve port 80 and another port 443 with just a couple firewall NAT
> rules.
> Neither one is inherently more secure than the other though.  #2
> gives you more
> flexibility with a few caveats.
> 
> One downside of the NAT approach is you have to watch for protocols
> passing IP
> addresses in band that the firewall's stateful inspection/fixup
> doesn't or can't
> know about and translate.  By using #1 you avoid that.  With #2 I
> have on
> occasion had to add aliased interfaces on the internal/NATted host
> with the
> public IP address, to trick an ill-behaving app into thinking it
> really was on
> the public IP address (to catch self references), in addition to its
> usual
> internal one.  Messy for troubleshooting.
> 
> Nobody these days typically has public IP addresses to burn, but if
> you truly
> do, avoiding NAT and doing straight firewalling to a DMZ can save you
> some
> operational headaches.
> 
> Dave
> 
> ----- Original Message -----
> > I spent the day meeting with a security consultant regarding our
> > current
> > network.  They kindly reprimanded me for the way I have my DMZ vs
> > what he called
> > best practices.  I shouldn't be questioning their opinions since I
> > am
> > probably
> > going to pay them to redo my work but I have the following question
> > regarding
> > DMZ placement.  I would like the opinion to see what a majority of
> > the people
> > think and why.  Here are the 2 options.
> > 
> > I have some public IP addresses provided by my ISPs.  I have lets
> > say
> > 6 servers
> > I need on my DMZ.
> > Do I:
> > 1.  Give the servers Public IP addresses and create a DMZ interface
> > on my
> > firewall
> > or
> > 2.  put the public IP addresses on my external interface, and put
> > the
> > servers in
> > private IP space in a DMZ, off of a DMZ interface on the firewall.
> > 
> > Chris
> > 
> > --
> > This message was sent to: David Black <dave at jamsoft.com>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org
> > from
> > that address.
> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web    :
> > http://www.trilug.org/mailman/options/trilug/dave%40jamsoft.com
> > TriLUG FAQ          :
> > http://www.trilug.org/wiki/Frequently_Asked_Questions
> > 
> --
> This message was sent to: Chris Bullock <cgbullock at yahoo.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web    :
> http://www.trilug.org/mailman/options/trilug/cgbullock%40yahoo.com
> TriLUG FAQ          :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
> 
> --
> This message was sent to: David Black <dave at jamsoft.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web	:
> http://www.trilug.org/mailman/options/trilug/dave%40jamsoft.com
> TriLUG FAQ          :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
> 



More information about the TriLUG mailing list