I'm looking for some insight on the best security design for several externally accessible web applications. We have several public IP addresses available and can simply do a 1:1 NAT for each web server, put it in a DMZ, or both. Each web server has an internal SQL database to complicate things. From a best security perspective i'm not sure if a 1:1 NAT will work fine or if i should use a DMZ. I would still like to allocate 1 public IP address per web server.