[TriLUG] [OT] using public IP addresses or private addresses for the DMZ

[Heath Roberts]

On Fri, Jul 8, 2011 at 4:01 PM, Chris Bullock <cgbullock at yahoo.com> wrote:

I spent the day meeting with a security consultant regarding our current
> network.  They kindly reprimanded me for the way I have my DMZ vs what he
> called
> best practices.  I shouldn't be questioning their opinions since I am
> probably
> going to pay them to redo my work but I have the following question
> regarding
> DMZ placement.  I would like the opinion to see what a majority of the
> people
> think and why.  Here are the 2 options.
>
> I have some public IP addresses provided by my ISPs.  I have lets say 6
> servers
> I need on my DMZ.
> Do I:
> 1.  Give the servers Public IP addresses and create a DMZ interface on my
> firewall
> or
> 2.  put the public IP addresses on my external interface, and put the
> servers in
> private IP space in a DMZ, off of a DMZ interface on the firewall.
>

>From a security perspective, you're really asking if using NAT is more
secure than not. That's such a silly question that I would be reluctant to
pay this consultant, if this is a major piece of his strategy. There are
reasons to use NAT, but security isn't really one of them. Some argue that
NAT obfuscates the structure of the network behind the NAT, but to me
"security through obscurity" is a pretty slim reason for using it.

If the address space isn't constrained, just use public addresses (still
behind the firewall) for your servers. At this point, if you have
public-facing servers, you should at least have a plan that includes IPv6 as
well, which will factor into the NAT/no NAT decision.

-- 
Heath Roberts
htroberts at gmail.com