[TriLUG] [OT] using public IP addresses or private addresses for the DMZ
David Black
dave at jamsoft.com
Fri Jul 8 22:16:49 EDT 2011
A properly configured, modern stateful firewall only allows what you want and drops everything else. NAT alone can certainly be better than nothing, but you're asking about the combination.
Dave
----- Original Message -----
> My ultimate question is, is one way more secure than the another? My
> security
> consultant was arguing the security of one was better than the other,
> however
> his explanation made them both sound identical?
>
>
>
>
>
> ----- Original Message ----
> From: David Black <dave at jamsoft.com>
> To: Triangle Linux Users Group General Discussion <trilug at trilug.org>
> Sent: Fri, July 8, 2011 4:48:21 PM
> Subject: Re: [TriLUG] [OT] using public IP addresses or private
> addresses for
> the DMZ
>
> Like another person said, you can easily get more than one host
> behind a single
> IP address (e.g. on different ports) with #2. For instance you can
> have one box
> serve port 80 and another port 443 with just a couple firewall NAT
> rules.
> Neither one is inherently more secure than the other though. #2
> gives you more
> flexibility with a few caveats.
>
> One downside of the NAT approach is you have to watch for protocols
> passing IP
> addresses in band that the firewall's stateful inspection/fixup
> doesn't or can't
> know about and translate. By using #1 you avoid that. With #2 I
> have on
> occasion had to add aliased interfaces on the internal/NATted host
> with the
> public IP address, to trick an ill-behaving app into thinking it
> really was on
> the public IP address (to catch self references), in addition to its
> usual
> internal one. Messy for troubleshooting.
>
> Nobody these days typically has public IP addresses to burn, but if
> you truly
> do, avoiding NAT and doing straight firewalling to a DMZ can save you
> some
> operational headaches.
>
> Dave
>
> ----- Original Message -----
> > I spent the day meeting with a security consultant regarding our
> > current
> > network. They kindly reprimanded me for the way I have my DMZ vs
> > what he called
> > best practices. I shouldn't be questioning their opinions since I
> > am
> > probably
> > going to pay them to redo my work but I have the following question
> > regarding
> > DMZ placement. I would like the opinion to see what a majority of
> > the people
> > think and why. Here are the 2 options.
> >
> > I have some public IP addresses provided by my ISPs. I have lets
> > say
> > 6 servers
> > I need on my DMZ.
> > Do I:
> > 1. Give the servers Public IP addresses and create a DMZ interface
> > on my
> > firewall
> > or
> > 2. put the public IP addresses on my external interface, and put
> > the
> > servers in
> > private IP space in a DMZ, off of a DMZ interface on the firewall.
> >
> > Chris
> >
> > --
> > This message was sent to: David Black <dave at jamsoft.com>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org
> > from
> > that address.
> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web :
> > http://www.trilug.org/mailman/options/trilug/dave%40jamsoft.com
> > TriLUG FAQ :
> > http://www.trilug.org/wiki/Frequently_Asked_Questions
> >
> --
> This message was sent to: Chris Bullock <cgbullock at yahoo.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web :
> http://www.trilug.org/mailman/options/trilug/cgbullock%40yahoo.com
> TriLUG FAQ :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
>
> --
> This message was sent to: David Black <dave at jamsoft.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web :
> http://www.trilug.org/mailman/options/trilug/dave%40jamsoft.com
> TriLUG FAQ :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
>
More information about the TriLUG
mailing list