- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: DMZ vs NAT - pros and cons
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DMZ vs NAT - pros and cons
Hi all,
could you comment pls, what is better for security, whether DMZ or NAT (Static or port NAT ) and why ?
Some say, contrary to me, that NAT is more secure and DMZ is insecure and obsolete.
What is you opinion ?
I suppose Checkpoint FW context.
I appreciate modern info sources about that, eventually.
Thanks LK
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suppose an argument could be made that NATting inbound traffic into a privately-addressed DMZ does provide some "security through obscurity" by hiding the server's true inside address from the outside world. In some cases this true address will need to be known when trying certain types of exploit attempts against the server. However there are so many ways that web servers in particular can leak their true IP address through error pages and such I'd say NATting really doesn't provide much security benefit, increases the complexity of the network slightly, and incurs some extra NAT processing on the firewall.
March 27th with sessions for both the EMEA and Americas time zones
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It’s not really an either-or.
Some do both.
A DMZ is really about segmentation.
More precisely, a DMZ is about ensuring all externally accessible resources can only access internal security resources via some form of access control (if allowed at all).
None of that is Check Point specific.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
now my "opponent" precised what he means by NAT. He made actually an DMZ with private IP address range, which uses a 1:1 static NAT for particular hosts .
Does it have any advantage comparing to DMZ having public address range ?
@PhoneBoy wrote:It’s not really an either-or.
Some do both.
A DMZ is really about segmentation.
More precisely, a DMZ is about ensuring all externally accessible resources can only access internal security resources via some form of access control (if allowed at all).None of that is Check Point specific.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends are those public IPs on your WAF/LB or actual hosts?
It helps to provide a clearer picture or risk getting sub optimal advice.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just generic hosts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suppose an argument could be made that NATting inbound traffic into a privately-addressed DMZ does provide some "security through obscurity" by hiding the server's true inside address from the outside world. In some cases this true address will need to be known when trying certain types of exploit attempts against the server. However there are so many ways that web servers in particular can leak their true IP address through error pages and such I'd say NATting really doesn't provide much security benefit, increases the complexity of the network slightly, and incurs some extra NAT processing on the firewall.
March 27th with sessions for both the EMEA and Americas time zones
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, exactly my opinion. But you know , new hire 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From a regulatory perspective, PCI-DSS for example mandates that no connection from an untrusted network i.e. partner or the internet is allowed to terminate in a trusted network, thus forcing you to use DMZ's. You will find that many other frameworks (CIS, NIST etc.) also require, or at least strongly recommend, the use of external-facing DMZ's.
From a design perspective, I cannot see how a properly designed DMZ is more insecure than a straight NAT to the inside. For one it will certainly complicate lateral movement post-breach.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to all !
