[TriLUG] [OT] using public IP addresses or private addresses for the DMZ

Aaron Joyner aaron at joyner.ws
Sun Jul 10 21:09:21 EDT 2011 

In my humble and probably flawed opinion, it mostly comes down to what
packets reach the machine you're trying to protect.

Let me first state my assumptions:
1) Your "firewall" rules are relatively simplistic, allow traffic on
the ports you're running services on, via the protocols you're running
services on
2) You follow a rule of "least privilege", implying you drop
everything that's not explicitly allowed in (1).

The most likely thing that comes to mind, is that in the case where
the DMZ machines have public IP addresses, with some packet-filtering
rule languages, it's possible that you'll make an error that will
allow an attacker to slip GRE or ICMP or some less common protocol
through to those machines, exploit some aspect of their IP stack
allowing said attacker to do harm to them.

In the rare case where your machine might be compromised, there's a
trivial advantage in that someone on that machine who inspects the
routing table or interfaces won't immediately know that it has an
internet-accessible address, but it's very unlikely that will help
you, as discovering it's external IP is exceedingly trivial for a
knowledgeable attacker.

There are some management advantages (not specifically security
advantages) to decoupling the external IP from the internal machine.
Specifically, if you're running a stateless service (or stateless
frontend), you can more easily fail over from one backend machine to
another by simply bringing the new machine online, testing it from
another machine inside the DMZ, then flipping a DNAT target (or
equivalent) in the firewall's config.  If you go down the road of real
load balancing, it becomes more important to focus on the feature set
of your firewall / loadbalancer.  If you're using one device to do
both, it makes sense for the DMZ machines to have private IPs.  If
they're separate (probably a better choice, the UNIX way is "do one
thing, and do it well", after all), you can go either way, but most
people tend to terminate the public IPs on the load balancer, so I'd
say the norm is to have the public IPs in the DMZ (of sorts).

That's all my ruminations on the topic, for the evening.  Please
consider the caveat that they may be aware of some aspect I'm not.
Ultimately, absorb what you've read on this thread, and go challenge
their assertion.  Any tech geek worth their salt should be willing to
explain the technical merits of their chosen solution to someone
interested willing to listen with an ear to understanding.  If they
can't explain it to you to your satisfaction, perhaps you should
reconsider their ability to document it to the point you can maintain
it, even if they can implement it.

Aaron S. Joyner


On Fri, Jul 8, 2011 at 5:12 PM, Chris Bullock <cgbullock at yahoo.com> wrote:
> My ultimate question is, is one way more secure than the another?  My security
> consultant was arguing the security of one was better than the other, however
> his explanation made them both sound identical?
>
>
>
>
>
> ----- Original Message ----
> From: David Black <dave at jamsoft.com>
> To: Triangle Linux Users Group General Discussion <trilug at trilug.org>
> Sent: Fri, July 8, 2011 4:48:21 PM
> Subject: Re: [TriLUG] [OT] using public IP addresses or private addresses for
> the DMZ
>
> Like another person said, you can easily get more than one host behind a single
> IP address (e.g. on different ports) with #2.  For instance you can have one box
> serve port 80 and another port 443 with just a couple firewall NAT rules.
> Neither one is inherently more secure than the other though.  #2 gives you more
> flexibility with a few caveats.
>
> One downside of the NAT approach is you have to watch for protocols passing IP
> addresses in band that the firewall's stateful inspection/fixup doesn't or can't
> know about and translate.  By using #1 you avoid that.  With #2 I have on
> occasion had to add aliased interfaces on the internal/NATted host with the
> public IP address, to trick an ill-behaving app into thinking it really was on
> the public IP address (to catch self references), in addition to its usual
> internal one.  Messy for troubleshooting.
>
> Nobody these days typically has public IP addresses to burn, but if you truly
> do, avoiding NAT and doing straight firewalling to a DMZ can save you some
> operational headaches.
>
> Dave
>
> ----- Original Message -----
>> I spent the day meeting with a security consultant regarding our
>> current
>> network.  They kindly reprimanded me for the way I have my DMZ vs
>> what he called
>> best practices.  I shouldn't be questioning their opinions since I am
>> probably
>> going to pay them to redo my work but I have the following question
>> regarding
>> DMZ placement.  I would like the opinion to see what a majority of
>> the people
>> think and why.  Here are the 2 options.
>>
>> I have some public IP addresses provided by my ISPs.  I have lets say
>> 6 servers
>> I need on my DMZ.
>> Do I:
>> 1.  Give the servers Public IP addresses and create a DMZ interface
>> on my
>> firewall
>> or
>> 2.  put the public IP addresses on my external interface, and put the
>> servers in
>> private IP space in a DMZ, off of a DMZ interface on the firewall.
>>
>> Chris
>>
>> --
>> This message was sent to: David Black <dave at jamsoft.com>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from
>> that address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web    :
>> http://www.trilug.org/mailman/options/trilug/dave%40jamsoft.com
>> TriLUG FAQ          :
>> http://www.trilug.org/wiki/Frequently_Asked_Questions
>>
> --
> This message was sent to: Chris Bullock <cgbullock at yahoo.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web    :
> http://www.trilug.org/mailman/options/trilug/cgbullock%40yahoo.com
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
>
> --
> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
>

More information about the TriLUG mailing list