04-10-2008 01:09 AM - edited 03-09-2019 08:29 PM
Hi All,
I would like to get you opinion on whether the following really adds any additional security.
We have a public facing firewall and an internal network. I am creating a DMZ to host some public facing webservers. Im going to NAT the public IP addresses to the Private DMZ addresses. My question is whether you think its a good idea to also NAT the DMZ (Private) addresses to a different (private) address on our internal network. The idea being the real addresses of the DMZ servers would not be routable on our internal network and internal clients could only connect to the Internal NAT address of the DMZ servers. As far i understand it this adds a layer of complexity but not necessarily security. Euther way i would be filtering traffic in both directions for DMZ <-> Internal. (and of course Outside <-> DMZ).
What would you do?
Appreciate your help
Andy
Solved! Go to Solution.
04-10-2008 01:50 AM
Andy
Not sure what you get by doing this. Even if the real private addresses of the DMZ servers were not routable the Natted addresses would need to be for internal users to access DMZ servers if indeed they need to. And if they don't need to then just don't advertise the route into your internal network.
I agree with you in that i cannot see any added security benefit with added complexity. I wouldn't do it myself.
Jon
04-10-2008 06:22 AM
I agree as well. There's no reason to add that complexity.
Security through obscurity is not really effective in the long run.
The only reason to do this would be with addressing (or routing) concerns.
04-10-2008 01:50 AM
Andy
Not sure what you get by doing this. Even if the real private addresses of the DMZ servers were not routable the Natted addresses would need to be for internal users to access DMZ servers if indeed they need to. And if they don't need to then just don't advertise the route into your internal network.
I agree with you in that i cannot see any added security benefit with added complexity. I wouldn't do it myself.
Jon
04-10-2008 06:22 AM
I agree as well. There's no reason to add that complexity.
Security through obscurity is not really effective in the long run.
The only reason to do this would be with addressing (or routing) concerns.
04-10-2008 07:13 AM
Thanks for both your replies.
I was concerned that this config would actually become a bit too complex and therefore introduce an element of human error.
Cheers
Andy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: