mgcIT
asked on
DMZ vs. NAT - which is more secure
Technically which is more secure or what other benefits/factors are there?
I'm planning an implementation that recommends you put the front end web server in the DMZ. Only port 443 (SSL) will be open from the outside world. On the internal firewall a few more ports will be open that will allow communication from the DMZ to the internal network.
My basic question is how is this different than just natting an IP address on my internal firewall to the web server? I would only open port 443 to that IP and nothing else. Then the webserver is on the LAN and able to communcate freely with the internal network. This is obviously an easier setup since I don't have to configure a DMZ but I'm worried about the security differences.
Thanks
I'm planning an implementation that recommends you put the front end web server in the DMZ. Only port 443 (SSL) will be open from the outside world. On the internal firewall a few more ports will be open that will allow communication from the DMZ to the internal network.
My basic question is how is this different than just natting an IP address on my internal firewall to the web server? I would only open port 443 to that IP and nothing else. Then the webserver is on the LAN and able to communcate freely with the internal network. This is obviously an easier setup since I don't have to configure a DMZ but I'm worried about the security differences.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>> well depending on your nework layout and configuration.
what do you mean by that?
If it makes a difference this setup would be for Citrix Secure Gateway. Here is the layout of how it would be set up: http://www.nosille.com/Files/SG.jpg
what do you mean by that?
If it makes a difference this setup would be for Citrix Secure Gateway. Here is the layout of how it would be set up: http://www.nosille.com/Files/SG.jpg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Not for citrix but for our Web server. anyway good thinking.
regards,
einy
regards,
einy
ASKER
>> 1) Natting in the sense you will be mapping the internal address of the server to an external address
What do you mean by this? Make the server in the DMZ have a private IP Address? The firewall I will be using has a DMZ port so I wouldn't actually be using 2 separate firewalls. Would I be able to nat on the DMZ? Also if that is the case do I just use a different subnet than my LAN and will they be able to communicate with each other?
thanks again
What do you mean by this? Make the server in the DMZ have a private IP Address? The firewall I will be using has a DMZ port so I wouldn't actually be using 2 separate firewalls. Would I be able to nat on the DMZ? Also if that is the case do I just use a different subnet than my LAN and will they be able to communicate with each other?
thanks again
ASKER
looking back at the comments I see that jabiii maybe had the same idea - "DMZ with NAT"...
if so jabiii please reply and give your input on that. thanks
if so jabiii please reply and give your input on that. thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the input.
DMZ has more security over NAT, well depending on your nework layout and configuration.
Nat is just a inconvience, DMZ is something you have to over come the security of. ANd using NAT you can still find the original IP.