DMZ vs. NAT - which is more secure

Technically which is more secure or what other benefits/factors are there?

I'm planning an implementation that recommends you put the front end web server in the DMZ.  Only port 443 (SSL) will be open from the outside world.  On the internal firewall a few more ports will be open that will allow communication from the DMZ to the internal network.

My basic question is how is this different than just natting an IP address on my internal firewall to the web server?  I would only open port 443 to that IP and nothing else.  Then the webserver is on the LAN and able to communcate freely with the internal network.  This is obviously an easier setup since I don't have to configure a DMZ but I'm worried about the security differences.

LVL 18
Who is Participating?
The security considerations would different for each scenario. Lets see, you have a computer in your local lan whose ip address is and it also goes out to internet. Specifically nobody from the internet would make a connection to your computer, kinda nobody cares.

But when you put out a webserver then, everybody knows about it (You want everybody to know about it, don't you?). Then a permanant ip address will be there. Whether you NAT or put it in the DMZ, somebody could compromise that machine.

So if the server is in the DMZ and had only a *few ports open to a few machines* => (Not Every Machine) in the internel network


Server is in the internal network and all the goddamn ports are open for all the machines inside (exchange, ad, fileserver....everything)

Now you can find out the answer from comparing the above 2 scenarios.

DMZ with NAT :)

DMZ has more security over NAT, well depending on your nework layout and configuration.

Nat is just a inconvience, DMZ is something you have to over come the security of. ANd using NAT you can still find the original IP.
mgcITAuthor Commented:
>> well depending on your nework layout and configuration.

what do you mean by that?

If it makes a difference this setup would be for Citrix Secure Gateway.  Here is the layout of how it would be set up:
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

It is not a matter of which is more secure. as I see from the diagram you will be using both.

1) Natting in the sense you will be mapping the internal address of the server to an external address so to the outside client only the external address will be visible.

2) As far as DMZ goes it depends on your firewall configuration how well you secure it and also your firewall.Talking abt Cisco, Basically by default there are three levels in the Cisco with LAN the higest priority, followed by DMZ and then the external network.
  So even if you put the Web server in the DMZ in default cisco configuration you you have everything enabled form LAN to DMZ and nothing from DMZ to LAN as the priorty states.
  Configure the DMZ to allow only those ports from the LAN and external environment to the DMZ and vice versa and you should make the front end server fairly secure.

P.S. We have this same scenario over here.
Not for citrix but for our Web server. anyway good thinking.


mgcITAuthor Commented:
>> 1) Natting in the sense you will be mapping the internal address of the server to an external address

What do you mean by this?  Make the server in the DMZ have a private IP Address?  The firewall I will be using has a DMZ port so I wouldn't actually be using 2 separate firewalls.  Would I be able to nat on the DMZ?  Also if that is the case do I just use a different subnet than my LAN and will they be able to communicate with each other?

thanks again
mgcITAuthor Commented:
looking back at the comments I see that jabiii maybe had the same idea - "DMZ with NAT"...

if so jabiii please reply and give your input on that.  thanks
what your saying is you have 3 interfaces on your fw right?
internal external and dmz?
in that case yes, you would put your server in the dmz, and create a rule inbound from the outside. and you wouldn't be using NAT so much as PAT or MAP. which means you would let's say your server is your FW would give it the address and people connecting would connect to the and the fw would forward it to the

But by placing it in the DMZ you are giving yourself the best security, whether you use nat/map/pat or not.

If your rules are locked down, and the server is in the DMZ, NAT it's just an additional layer all it is doing is masking the real IP address.

Doing both however you are protecting yourself as best as you can.

mgcITAuthor Commented:
Thanks for the input.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.