[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

DMZ vs. NAT - which is more secure

Posted on 2006-03-22
9
Medium Priority
?
3,426 Views
Last Modified: 2012-06-19
Technically which is more secure or what other benefits/factors are there?

I'm planning an implementation that recommends you put the front end web server in the DMZ.  Only port 443 (SSL) will be open from the outside world.  On the internal firewall a few more ports will be open that will allow communication from the DMZ to the internal network.

My basic question is how is this different than just natting an IP address on my internal firewall to the web server?  I would only open port 443 to that IP and nothing else.  Then the webserver is on the LAN and able to communcate freely with the internal network.  This is obviously an easier setup since I don't have to configure a DMZ but I'm worried about the security differences.

Thanks
0
Comment
Question by:mgcIT
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 800 total points
ID: 16261988
The security considerations would different for each scenario. Lets see, you have a computer in your local lan whose ip address is 10.1.1.1 and it also goes out to internet. Specifically nobody from the internet would make a connection to your computer, kinda nobody cares.

But when you put out a webserver then, everybody knows about it (You want everybody to know about it, don't you?). Then a permanant ip address will be there. Whether you NAT or put it in the DMZ, somebody could compromise that machine.

So if the server is in the DMZ and had only a *few ports open to a few machines* => (Not Every Machine) in the internel network

vs

Server is in the internal network and all the goddamn ports are open for all the machines inside (exchange, ad, fileserver....everything)


Now you can find out the answer from comparing the above 2 scenarios.

Cheers,
Rajesh
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16262405
DMZ with NAT :)

DMZ has more security over NAT, well depending on your nework layout and configuration.

Nat is just a inconvience, DMZ is something you have to over come the security of. ANd using NAT you can still find the original IP.
0
 
LVL 18

Author Comment

by:mgcIT
ID: 16264211
>> well depending on your nework layout and configuration.

what do you mean by that?

If it makes a difference this setup would be for Citrix Secure Gateway.  Here is the layout of how it would be set up:  http://www.nosille.com/Files/SG.jpg
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 5

Assisted Solution

by:einsteinjr79
einsteinjr79 earned 600 total points
ID: 16266057
It is not a matter of which is more secure. as I see from the diagram you will be using both.

1) Natting in the sense you will be mapping the internal address of the server to an external address so to the outside client only the external address will be visible.

2) As far as DMZ goes it depends on your firewall configuration how well you secure it and also your firewall.Talking abt Cisco, Basically by default there are three levels in the Cisco with LAN the higest priority, followed by DMZ and then the external network.
  So even if you put the Web server in the DMZ in default cisco configuration you you have everything enabled form LAN to DMZ and nothing from DMZ to LAN as the priorty states.
  Configure the DMZ to allow only those ports from the LAN and external environment to the DMZ and vice versa and you should make the front end server fairly secure.

P.S. We have this same scenario over here.
0
 
LVL 5

Expert Comment

by:einsteinjr79
ID: 16266067
Not for citrix but for our Web server. anyway good thinking.

regards,

einy
0
 
LVL 18

Author Comment

by:mgcIT
ID: 16281916
>> 1) Natting in the sense you will be mapping the internal address of the server to an external address

What do you mean by this?  Make the server in the DMZ have a private IP Address?  The firewall I will be using has a DMZ port so I wouldn't actually be using 2 separate firewalls.  Would I be able to nat on the DMZ?  Also if that is the case do I just use a different subnet than my LAN and will they be able to communicate with each other?

thanks again
0
 
LVL 18

Author Comment

by:mgcIT
ID: 16281945
looking back at the comments I see that jabiii maybe had the same idea - "DMZ with NAT"...

if so jabiii please reply and give your input on that.  thanks
0
 
LVL 9

Assisted Solution

by:jabiii
jabiii earned 600 total points
ID: 16282076
what your saying is you have 3 interfaces on your fw right?
internal external and dmz?
in that case yes, you would put your server in the dmz, and create a rule inbound from the outside. and you wouldn't be using NAT so much as PAT or MAP. which means you would let's say your server is 10.1.1.1 your FW would give it the address 130.1.1.1 and people connecting would connect to the 130.1.1.1 and the fw would forward it to the 10.1.1.1.

But by placing it in the DMZ you are giving yourself the best security, whether you use nat/map/pat or not.

If your rules are locked down, and the server is in the DMZ, NAT it's just an additional layer all it is doing is masking the real IP address.

Doing both however you are protecting yourself as best as you can.

Jim
0
 
LVL 18

Author Comment

by:mgcIT
ID: 16337802
Thanks for the input.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question