topic Re: DMZ vs NAT - pros and cons in Firewall and Security Management

DMZ vs NAT - pros and cons

Libor_Kovar — Thu, 18 Nov 2021 14:20:17 GMT

Hi all,

could you comment pls, what is better for security, whether DMZ or NAT (Static or port NAT ) and why ?

Some say, contrary to me, that NAT is more secure and DMZ is insecure and obsolete.

What is you opinion ?

I suppose Checkpoint FW context.

I appreciate modern info sources about that, eventually.

Thanks LK

Re: DMZ vs NAT - pros and cons

PhoneBoy — Fri, 19 Nov 2021 05:36:44 GMT

It’s not really an either-or.
Some do both.
A DMZ is really about segmentation.
More precisely, a DMZ is about ensuring all externally accessible resources can only access internal security resources via some form of access control (if allowed at all).

None of that is Check Point specific.

Re: DMZ vs NAT - pros and cons

Libor_Kovar — Tue, 25 Jan 2022 13:22:44 GMT

Hi,

now my "opponent" precised what he means by NAT. He made actually an DMZ with private IP address range, which uses a 1:1 static NAT for particular hosts .

Does it have any advantage comparing to DMZ having public address range ?

@PhoneBoy wrote:
It’s not really an either-or.
Some do both.
A DMZ is really about segmentation.
More precisely, a DMZ is about ensuring all externally accessible resources can only access internal security resources via some form of access control (if allowed at all).
None of that is Check Point specific.

Re: DMZ vs NAT - pros and cons

Ruan_Kotze — Tue, 25 Jan 2022 13:49:53 GMT

From a regulatory perspective, PCI-DSS for example mandates that no connection from an untrusted network i.e. partner or the internet is allowed to terminate in a trusted network, thus forcing you to use DMZ's. You will find that many other frameworks (CIS, NIST etc.) also require, or at least strongly recommend, the use of external-facing DMZ's.

From a design perspective, I cannot see how a properly designed DMZ is more insecure than a straight NAT to the inside. For one it will certainly complicate lateral movement post-breach.

Re: DMZ vs NAT - pros and cons

Chris_Atkinson — Tue, 25 Jan 2022 14:10:50 GMT

It depends are those public IPs on your WAF/LB or actual hosts?

It helps to provide a clearer picture or risk getting sub optimal advice.

Re: DMZ vs NAT - pros and cons

Libor_Kovar — Tue, 25 Jan 2022 14:38:24 GMT

Just generic hosts

Re: DMZ vs NAT - pros and cons

Timothy_Hall — Tue, 25 Jan 2022 16:28:54 GMT

I suppose an argument could be made that NATting inbound traffic into a privately-addressed DMZ does provide some "security through obscurity" by hiding the server's true inside address from the outside world. In some cases this true address will need to be known when trying certain types of exploit attempts against the server. However there are so many ways that web servers in particular can leak their true IP address through error pages and such I'd say NATting really doesn't provide much security benefit, increases the complexity of the network slightly, and incurs some extra NAT processing on the firewall.

Re: DMZ vs NAT - pros and cons

Libor_Kovar — Tue, 25 Jan 2022 16:01:33 GMT

Thanks, exactly my opinion. But you know , new hire 🙂

Re: DMZ vs NAT - pros and cons

Libor_Kovar — Tue, 25 Jan 2022 16:05:07 GMT

Thanks to all !