Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Libor_Kovar
Contributor
Jump to solution

DMZ vs NAT - pros and cons

Hi all,

could you comment pls, what is better for security, whether DMZ or NAT (Static or port NAT ) and why ?

Some say, contrary to me, that NAT is more secure and DMZ is insecure and obsolete.

What is you opinion  ?

I suppose Checkpoint FW context.

I appreciate modern info sources about that, eventually.

Thanks LK

 

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

I suppose an argument could be made that NATting inbound traffic into a privately-addressed DMZ does provide some "security through obscurity" by hiding the server's true inside address from the outside world.  In some cases this true address will need to be known when trying certain types of exploit attempts against the server.  However there are so many ways that web servers in particular can leak their true IP address through error pages and such I'd say NATting really doesn't provide much security benefit, increases the complexity of the network slightly, and incurs some extra NAT processing on the firewall.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

(1)
8 Replies
PhoneBoy
Admin
Admin

It’s not really an either-or.
Some do both.
A DMZ is really about segmentation.
More precisely, a DMZ is about ensuring all externally accessible resources can only access internal security resources via some form of access control (if allowed at all).

None of that is Check Point specific.

0 Kudos
Libor_Kovar
Contributor

Hi,

now my "opponent" precised what he means by NAT. He made actually an DMZ with private IP address range, which uses a 1:1 static NAT for particular hosts . 

Does it have any advantage comparing to DMZ having public address range ? 


@PhoneBoy wrote:

It’s not really an either-or.
Some do both.
A DMZ is really about segmentation.
More precisely, a DMZ is about ensuring all externally accessible resources can only access internal security resources via some form of access control (if allowed at all).

None of that is Check Point specific.


 

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

It depends are those public IPs on your WAF/LB or actual hosts?

It helps to provide a clearer picture or risk getting sub optimal advice.

CCSM R77/R80/ELITE
0 Kudos
Libor_Kovar
Contributor

Just generic hosts

0 Kudos
Timothy_Hall
Legend Legend
Legend

I suppose an argument could be made that NATting inbound traffic into a privately-addressed DMZ does provide some "security through obscurity" by hiding the server's true inside address from the outside world.  In some cases this true address will need to be known when trying certain types of exploit attempts against the server.  However there are so many ways that web servers in particular can leak their true IP address through error pages and such I'd say NATting really doesn't provide much security benefit, increases the complexity of the network slightly, and incurs some extra NAT processing on the firewall.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
Libor_Kovar
Contributor

Thanks, exactly my opinion. But you know , new hire 🙂

 

0 Kudos
Ruan_Kotze
Advisor

From a regulatory perspective, PCI-DSS for example mandates that no connection from an untrusted network i.e. partner or the internet is allowed to terminate in a trusted network, thus forcing you to use DMZ's.  You will find that many other frameworks (CIS, NIST etc.) also require, or at least strongly recommend, the use of external-facing DMZ's.

From a design perspective, I cannot see how a properly designed DMZ is more insecure than a straight NAT to the inside.  For one it will certainly complicate lateral movement post-breach.

0 Kudos
Libor_Kovar
Contributor

Thanks to all !

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events