DMZ Design - DMZ <-> Internal NAT

Answered Question
Apr 10th, 2008

Hi All,

I would like to get you opinion on whether the following really adds any additional security.

We have a public facing firewall and an internal network. I am creating a DMZ to host some public facing webservers. Im going to NAT the public IP addresses to the Private DMZ addresses. My question is whether you think its a good idea to also NAT the DMZ (Private) addresses to a different (private) address on our internal network. The idea being the real addresses of the DMZ servers would not be routable on our internal network and internal clients could only connect to the Internal NAT address of the DMZ servers. As far i understand it this adds a layer of complexity but not necessarily security. Euther way i would be filtering traffic in both directions for DMZ <-> Internal. (and of course Outside <-> DMZ).

What would you do?

Appreciate your help

Andy

I have this problem too.
0 votes
Correct Answer by srue about 8 years 8 months ago

I agree as well. There's no reason to add that complexity.

Security through obscurity is not really effective in the long run.

The only reason to do this would be with addressing (or routing) concerns.

Correct Answer by Jon Marshall about 8 years 8 months ago

Andy

Not sure what you get by doing this. Even if the real private addresses of the DMZ servers were not routable the Natted addresses would need to be for internal users to access DMZ servers if indeed they need to. And if they don't need to then just don't advertise the route into your internal network.

I agree with you in that i cannot see any added security benefit with added complexity. I wouldn't do it myself.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 04/10/2008 - 01:50

Andy

Not sure what you get by doing this. Even if the real private addresses of the DMZ servers were not routable the Natted addresses would need to be for internal users to access DMZ servers if indeed they need to. And if they don't need to then just don't advertise the route into your internal network.

I agree with you in that i cannot see any added security benefit with added complexity. I wouldn't do it myself.

Jon

Correct Answer
srue Thu, 04/10/2008 - 06:22

I agree as well. There's no reason to add that complexity.

Security through obscurity is not really effective in the long run.

The only reason to do this would be with addressing (or routing) concerns.

serotonin888 Thu, 04/10/2008 - 07:13

Thanks for both your replies.

I was concerned that this config would actually become a bit too complex and therefore introduce an element of human error.

Cheers

Andy

Actions

This Discussion