?
Solved

ASA NAT of http outside interface to inside server IP

Posted on 2014-09-04
3
Medium Priority
?
328 Views
Last Modified: 2014-09-15
Hi. I have setup this NAT all ok. I do have a concern around security however. I know essentially that all NAT will do is hide the internal IP and doesn't provide sufficient security against targeted attacks over port 80. Essentially port 80 is open to the outside world to an internal IP which is not great from a security point of view.

I am aware there are better ways to do this - DMZ etc - My question is how common is it that  this  type of NAT would be setup. Have engineers seen this configuration frequently?
0
Comment
Question by:philb19
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 97

Expert Comment

by:Experienced Member
ID: 40305026
Essentially port 80 is open to the outside world to an internal IP  <-- That is entirely unsafe. You might just as well post your server password in the world news.

DMZ is not meant for to protect servers either.

Get a VPN router, install that in front of your ISP modem, set up IPsec VPN and hook the server to that. I have had client servers behind strong VPN for years with zero intrusions.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40305081
Is there a special reason why you have port 80 open to the outside world?

A DMZ is really just a place where you place servers you want to allow access to by "anybody" from the Internet.   As John Hurst stated, its not protected.  It really just allows you to protect your "internal" network better.

If the server were you have port 80 open is for "employee" access only, then setting up a VPN will allow you to close port 80 to the general public while allowing your fellow employees to access it.
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 40305786
I prefer that open ports be moved to a DMZ.

I configure web servers and do so by using layers.

Firewall (ASA), IDS, selinux, web server security (modsecurity), access lists by IP, authentication where needed, service monitoring, log monitoring.

You can be perfectly fine if you don't make yourself a piece of low hanging fruit.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month11 days, 21 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question