Solved

ASA NAT of http outside interface to inside server IP

Posted on 2014-09-04
3
325 Views
Last Modified: 2014-09-15
Hi. I have setup this NAT all ok. I do have a concern around security however. I know essentially that all NAT will do is hide the internal IP and doesn't provide sufficient security against targeted attacks over port 80. Essentially port 80 is open to the outside world to an internal IP which is not great from a security point of view.

I am aware there are better ways to do this - DMZ etc - My question is how common is it that  this  type of NAT would be setup. Have engineers seen this configuration frequently?
0
Comment
Question by:philb19
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 95

Expert Comment

by:John Hurst
ID: 40305026
Essentially port 80 is open to the outside world to an internal IP  <-- That is entirely unsafe. You might just as well post your server password in the world news.

DMZ is not meant for to protect servers either.

Get a VPN router, install that in front of your ISP modem, set up IPsec VPN and hook the server to that. I have had client servers behind strong VPN for years with zero intrusions.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40305081
Is there a special reason why you have port 80 open to the outside world?

A DMZ is really just a place where you place servers you want to allow access to by "anybody" from the Internet.   As John Hurst stated, its not protected.  It really just allows you to protect your "internal" network better.

If the server were you have port 80 open is for "employee" access only, then setting up a VPN will allow you to close port 80 to the general public while allowing your fellow employees to access it.
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 40305786
I prefer that open ports be moved to a DMZ.

I configure web servers and do so by using layers.

Firewall (ASA), IDS, selinux, web server security (modsecurity), access lists by IP, authentication where needed, service monitoring, log monitoring.

You can be perfectly fine if you don't make yourself a piece of low hanging fruit.
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question