Solved

ASA NAT of http outside interface to inside server IP

Posted on 2014-09-04
3
323 Views
Last Modified: 2014-09-15
Hi. I have setup this NAT all ok. I do have a concern around security however. I know essentially that all NAT will do is hide the internal IP and doesn't provide sufficient security against targeted attacks over port 80. Essentially port 80 is open to the outside world to an internal IP which is not great from a security point of view.

I am aware there are better ways to do this - DMZ etc - My question is how common is it that  this  type of NAT would be setup. Have engineers seen this configuration frequently?
0
Comment
Question by:philb19
3 Comments
 
LVL 94

Expert Comment

by:John Hurst
ID: 40305026
Essentially port 80 is open to the outside world to an internal IP  <-- That is entirely unsafe. You might just as well post your server password in the world news.

DMZ is not meant for to protect servers either.

Get a VPN router, install that in front of your ISP modem, set up IPsec VPN and hook the server to that. I have had client servers behind strong VPN for years with zero intrusions.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40305081
Is there a special reason why you have port 80 open to the outside world?

A DMZ is really just a place where you place servers you want to allow access to by "anybody" from the Internet.   As John Hurst stated, its not protected.  It really just allows you to protect your "internal" network better.

If the server were you have port 80 open is for "employee" access only, then setting up a VPN will allow you to close port 80 to the general public while allowing your fellow employees to access it.
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 40305786
I prefer that open ports be moved to a DMZ.

I configure web servers and do so by using layers.

Firewall (ASA), IDS, selinux, web server security (modsecurity), access lists by IP, authentication where needed, service monitoring, log monitoring.

You can be perfectly fine if you don't make yourself a piece of low hanging fruit.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question