Solved

public IPs on NICs versus natting to private IPs on NICs

Posted on 2013-01-24
5
355 Views
Last Modified: 2013-01-29
Hi there,
I am new to Experts Exchange and am in the trial bit. I will be paying the fee when it comes time because so far there are lots of cool answers I have been getting, and really quick too.  Thanks heaps for so far.

This question is just a background question for my own understanding.
I am in a bigger network than I have worked in before and am interested in why you would have a public IP on a nic and letting traffic in on a firewall through certain ports directly to the NIC,  versus just natting on the firewall through ports that are open to a private range IP on a NIC.

The times I have seen a NIC configured with a public IP are on servers in the DMZ.
We still have rules on the DMZ firewall that only allow certain traffic to the public IP NICs on the servers with them.
Why does it seem that it is okay for the internet to know the ip of a NIC in the DMZ versus natting to the internal domain to a private IP?
Wouldn't it be better to NAT to a Private IP NIC on a server in the DMZ as well for the same reasons? IE the internet knows less about your configuration meaning you are more secure?

This is just for my own understanding of when to put a public IP on a NIC versus when to put a private IP.
For what it is worth we have plenty of spare public IPs.

Thanks,
Shaun
0
Comment
Question by:shaunwoy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38817908
first lets understand public and private IP.

Public IPs are those IP known to outside world. There is well defined pool of public IPs and every organization or ISP has to buy & sell IPs from that pool.

when you want to go on internet you have to use any public IP to reach internet.
 
Private IPs are private to any particular organization with it they can comunicate within the organization.

Since you have to pay some money to use/buy public IP form your ISP provider and if you have lot of user to use internet and in this case you have to spend lot of money in buying public IP for each user thus we do NATING.

NATing means mapping of private IP address to public IP address.

Thats why you see abov set-up in your network.
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 500 total points
ID: 38818506
The difference between putting a public IP on the NIC(and thus in the DMZ) vs doing the NAT translation is by putting on the NIC you are bypassing NAT - this is sometimes required depending on what the server/machine that has the public IP is running - i.e. some technologies don't like NAT(VOIP for example) and thus they operate better in the DMZ

So if there's a requirement to bypass NAT this is why its usually done like this(or one of the reasons)
0
 

Author Comment

by:shaunwoy
ID: 38823064
That's a nice explanation. Thanks.  
Are you saying then it would be best practice to NAT unless there is a specific requirement?  Does a server in the DMZ would always have one of their NICs with a public IP or are they NATed out of the DMZ as well as an extra layer if a technology doesn't require a public IP. For example a webserver?
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38830404
Thanks for the points, to answer you last bit(sorry for the delay), the DMZ is normally a seperate 'zone' on your firewall/router...so in effect its like another LAN behind your router

That is you have you LAN which is the client machines and server
You have a DMZ which holds web servers(or public facing servers, i.e. need to be accessed by the outside public)
You have the WAN which is your router/firewall public IP

So in a lot of the business class routers/firewalls there can be additional 'security' features that you need to enable where servers in the DMZ are limited in what they can see on the LAN side etc...you've probably seen a few posts on the web about DMZ but here's a simple enough explanation that may assist...

http://community.spiceworks.com/topic/139801-dmz-vs-nat
0
 

Author Comment

by:shaunwoy
ID: 38832684
Thanks for that smckeown777, that is really cool.  The link did help too.
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question