DMZ vs. NAT - which is more secure

Technically which is more secure or what other benefits/factors are there?

I'm planning an implementation that recommends you put the front end web server in the DMZ.  Only port 443 (SSL) will be open from the outside world.  On the internal firewall a few more ports will be open that will allow communication from the DMZ to the internal network.

My basic question is how is this different than just natting an IP address on my internal firewall to the web server?  I would only open port 443 to that IP and nothing else.  Then the webserver is on the LAN and able to communcate freely with the internal network.  This is obviously an easier setup since I don't have to configure a DMZ but I'm worried about the security differences.

LVL 18
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The security considerations would different for each scenario. Lets see, you have a computer in your local lan whose ip address is and it also goes out to internet. Specifically nobody from the internet would make a connection to your computer, kinda nobody cares.

But when you put out a webserver then, everybody knows about it (You want everybody to know about it, don't you?). Then a permanant ip address will be there. Whether you NAT or put it in the DMZ, somebody could compromise that machine.

So if the server is in the DMZ and had only a *few ports open to a few machines* => (Not Every Machine) in the internel network


Server is in the internal network and all the goddamn ports are open for all the machines inside (exchange, ad, fileserver....everything)

Now you can find out the answer from comparing the above 2 scenarios.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DMZ with NAT :)

DMZ has more security over NAT, well depending on your nework layout and configuration.

Nat is just a inconvience, DMZ is something you have to over come the security of. ANd using NAT you can still find the original IP.
mgcITAuthor Commented:
>> well depending on your nework layout and configuration.

what do you mean by that?

If it makes a difference this setup would be for Citrix Secure Gateway.  Here is the layout of how it would be set up:
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

It is not a matter of which is more secure. as I see from the diagram you will be using both.

1) Natting in the sense you will be mapping the internal address of the server to an external address so to the outside client only the external address will be visible.

2) As far as DMZ goes it depends on your firewall configuration how well you secure it and also your firewall.Talking abt Cisco, Basically by default there are three levels in the Cisco with LAN the higest priority, followed by DMZ and then the external network.
  So even if you put the Web server in the DMZ in default cisco configuration you you have everything enabled form LAN to DMZ and nothing from DMZ to LAN as the priorty states.
  Configure the DMZ to allow only those ports from the LAN and external environment to the DMZ and vice versa and you should make the front end server fairly secure.

P.S. We have this same scenario over here.
Not for citrix but for our Web server. anyway good thinking.


mgcITAuthor Commented:
>> 1) Natting in the sense you will be mapping the internal address of the server to an external address

What do you mean by this?  Make the server in the DMZ have a private IP Address?  The firewall I will be using has a DMZ port so I wouldn't actually be using 2 separate firewalls.  Would I be able to nat on the DMZ?  Also if that is the case do I just use a different subnet than my LAN and will they be able to communicate with each other?

thanks again
mgcITAuthor Commented:
looking back at the comments I see that jabiii maybe had the same idea - "DMZ with NAT"...

if so jabiii please reply and give your input on that.  thanks
what your saying is you have 3 interfaces on your fw right?
internal external and dmz?
in that case yes, you would put your server in the dmz, and create a rule inbound from the outside. and you wouldn't be using NAT so much as PAT or MAP. which means you would let's say your server is your FW would give it the address and people connecting would connect to the and the fw would forward it to the

But by placing it in the DMZ you are giving yourself the best security, whether you use nat/map/pat or not.

If your rules are locked down, and the server is in the DMZ, NAT it's just an additional layer all it is doing is masking the real IP address.

Doing both however you are protecting yourself as best as you can.

mgcITAuthor Commented:
Thanks for the input.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.