Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
392
Views
0
Helpful
3
Replies

DMZ Design - DMZ <-> Internal NAT

Go to solution
serotonin888
Level 1
Level 1

‎04-10-2008 01:09 AM - edited ‎03-09-2019 08:29 PM

Hi All,

I would like to get you opinion on whether the following really adds any additional security.

We have a public facing firewall and an internal network. I am creating a DMZ to host some public facing webservers. Im going to NAT the public IP addresses to the Private DMZ addresses. My question is whether you think its a good idea to also NAT the DMZ (Private) addresses to a different (private) address on our internal network. The idea being the real addresses of the DMZ servers would not be routable on our internal network and internal clients could only connect to the Internal NAT address of the DMZ servers. As far i understand it this adds a layer of complexity but not necessarily security. Euther way i would be filtering traffic in both directions for DMZ <-> Internal. (and of course Outside <-> DMZ).

What would you do?

Appreciate your help

Andy

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-10-2008 01:50 AM

Andy

Not sure what you get by doing this. Even if the real private addresses of the DMZ servers were not routable the Natted addresses would need to be for internal users to access DMZ servers if indeed they need to. And if they don't need to then just don't advertise the route into your internal network.

I agree with you in that i cannot see any added security benefit with added complexity. I wouldn't do it myself.

Jon

View solution in original post

0 Helpful

Go to solution
srue
Level 7
Level 7
In response to Jon Marshall

‎04-10-2008 06:22 AM

I agree as well. There's no reason to add that complexity.

Security through obscurity is not really effective in the long run.

The only reason to do this would be with addressing (or routing) concerns.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-10-2008 01:50 AM

Andy

Not sure what you get by doing this. Even if the real private addresses of the DMZ servers were not routable the Natted addresses would need to be for internal users to access DMZ servers if indeed they need to. And if they don't need to then just don't advertise the route into your internal network.

I agree with you in that i cannot see any added security benefit with added complexity. I wouldn't do it myself.

Jon

0 Helpful

Go to solution
srue
Level 7
Level 7
In response to Jon Marshall

‎04-10-2008 06:22 AM

I agree as well. There's no reason to add that complexity.

Security through obscurity is not really effective in the long run.

The only reason to do this would be with addressing (or routing) concerns.

0 Helpful

Go to solution
serotonin888
Level 1
Level 1

‎04-10-2008 07:13 AM

Thanks for both your replies.

I was concerned that this config would actually become a bit too complex and therefore introduce an element of human error.

Cheers

Andy

0 Helpful
Customers Also Viewed These Support Documents