I would like to get you opinion on whether the following really adds any additional security.
We have a public facing firewall and an internal network. I am creating a DMZ to host some public facing webservers. Im going to NAT the public IP addresses to the Private DMZ addresses. My question is whether you think its a good idea to also NAT the DMZ (Private) addresses to a different (private) address on our internal network. The idea being the real addresses of the DMZ servers would not be routable on our internal network and internal clients could only connect to the Internal NAT address of the DMZ servers. As far i understand it this adds a layer of complexity but not necessarily security. Euther way i would be filtering traffic in both directions for DMZ <-> Internal. (and of course Outside <-> DMZ).
What would you do?
Appreciate your help
I agree as well. There's no reason to add that complexity.
Security through obscurity is not really effective in the long run.
The only reason to do this would be with addressing (or routing) concerns.
Not sure what you get by doing this. Even if the real private addresses of the DMZ servers were not routable the Natted addresses would need to be for internal users to access DMZ servers if indeed they need to. And if they don't need to then just don't advertise the route into your internal network.
I agree with you in that i cannot see any added security benefit with added complexity. I wouldn't do it myself.