DMZ vs Port Forwarding?
Posted on 2004-08-31
We are preparing to install a web server (for public web pages accessible from the Internet and our Intranet) at our organization. I am curious as to where on our network this should be placed. At our main location we have a T1 which runs from the Telecomm router into our Firewall/VPN appliance. This appliance does not have a DMZ port only public/private interfaces. My initial thought was to deploy this public webserver behind our firewall and forward port 80 from our FW to the server. The second was to lock the server down with concrete and place it on the outside of the FW with a public IP (I dont like this) or finally building a Linux box with two NICS one on the public side of the network on the other in a newly created DMZ zone. The first part of my question is which of these solutions is the best if any? Please describe your setups...
The second part of my question is what is the advantage of using a DMZ over a simple port forward? If you are port forwarding to only ONE internal IP address what is the danger of the traffic traversing your internal network? Does the concern come from the possibility of that one machine becoming comproimised and then becoming a tool for furture attacks internally?