Solved

ASA NAT of http outside interface to inside server IP

Posted on 2014-09-04
3
319 Views
Last Modified: 2014-09-15
Hi. I have setup this NAT all ok. I do have a concern around security however. I know essentially that all NAT will do is hide the internal IP and doesn't provide sufficient security against targeted attacks over port 80. Essentially port 80 is open to the outside world to an internal IP which is not great from a security point of view.

I am aware there are better ways to do this - DMZ etc - My question is how common is it that  this  type of NAT would be setup. Have engineers seen this configuration frequently?
0
Comment
Question by:philb19
3 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 40305026
Essentially port 80 is open to the outside world to an internal IP  <-- That is entirely unsafe. You might just as well post your server password in the world news.

DMZ is not meant for to protect servers either.

Get a VPN router, install that in front of your ISP modem, set up IPsec VPN and hook the server to that. I have had client servers behind strong VPN for years with zero intrusions.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40305081
Is there a special reason why you have port 80 open to the outside world?

A DMZ is really just a place where you place servers you want to allow access to by "anybody" from the Internet.   As John Hurst stated, its not protected.  It really just allows you to protect your "internal" network better.

If the server were you have port 80 open is for "employee" access only, then setting up a VPN will allow you to close port 80 to the general public while allowing your fellow employees to access it.
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 40305786
I prefer that open ports be moved to a DMZ.

I configure web servers and do so by using layers.

Firewall (ASA), IDS, selinux, web server security (modsecurity), access lists by IP, authentication where needed, service monitoring, log monitoring.

You can be perfectly fine if you don't make yourself a piece of low hanging fruit.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now