Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ASA NAT of http outside interface to inside server IP

Posted on 2014-09-04
3
Medium Priority
?
334 Views
Last Modified: 2014-09-15
Hi. I have setup this NAT all ok. I do have a concern around security however. I know essentially that all NAT will do is hide the internal IP and doesn't provide sufficient security against targeted attacks over port 80. Essentially port 80 is open to the outside world to an internal IP which is not great from a security point of view.

I am aware there are better ways to do this - DMZ etc - My question is how common is it that  this  type of NAT would be setup. Have engineers seen this configuration frequently?
0
Comment
Question by:philb19
3 Comments
 
LVL 100

Expert Comment

by:John Hurst
ID: 40305026
Essentially port 80 is open to the outside world to an internal IP  <-- That is entirely unsafe. You might just as well post your server password in the world news.

DMZ is not meant for to protect servers either.

Get a VPN router, install that in front of your ISP modem, set up IPsec VPN and hook the server to that. I have had client servers behind strong VPN for years with zero intrusions.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40305081
Is there a special reason why you have port 80 open to the outside world?

A DMZ is really just a place where you place servers you want to allow access to by "anybody" from the Internet.   As John Hurst stated, its not protected.  It really just allows you to protect your "internal" network better.

If the server were you have port 80 open is for "employee" access only, then setting up a VPN will allow you to close port 80 to the general public while allowing your fellow employees to access it.
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 40305786
I prefer that open ports be moved to a DMZ.

I configure web servers and do so by using layers.

Firewall (ASA), IDS, selinux, web server security (modsecurity), access lists by IP, authentication where needed, service monitoring, log monitoring.

You can be perfectly fine if you don't make yourself a piece of low hanging fruit.
0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question