This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Libor_Kovar
Contributor
‎2021-11-18 06:15 AM
Jump to solution

DMZ vs NAT - pros and cons

Hi all,

could you comment pls, what is better for security, whether DMZ or NAT (Static or port NAT ) and why ?

Some say, contrary to me, that NAT is more secure and DMZ is insecure and obsolete.

What is you opinion  ?

I suppose Checkpoint FW context.

I appreciate modern info sources about that, eventually.

Thanks LK

 

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2022-01-25 07:58 AM
In response to Libor_Kovar
Jump to solution

I suppose an argument could be made that NATting inbound traffic into a privately-addressed DMZ does provide some "security through obscurity" by hiding the server's true inside address from the outside world.  In some cases this true address will need to be known when trying certain types of exploit attempts against the server.  However there are so many ways that web servers in particular can leak their true IP address through error pages and such I'd say NATting really doesn't provide much security benefit, increases the complexity of the network slightly, and incurs some extra NAT processing on the firewall.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2021-11-18 09:36 PM
Jump to solution

It’s not really an either-or.
Some do both.
A DMZ is really about segmentation.
More precisely, a DMZ is about ensuring all externally accessible resources can only access internal security resources via some form of access control (if allowed at all).

None of that is Check Point specific.

0 Kudos
Libor_Kovar
Contributor
‎2022-01-25 05:22 AM
In response to PhoneBoy
Jump to solution

Hi,

now my "opponent" precised what he means by NAT. He made actually an DMZ with private IP address range, which uses a 1:1 static NAT for particular hosts . 

Does it have any advantage comparing to DMZ having public address range ? 

@PhoneBoy wrote:

It’s not really an either-or.
Some do both.
A DMZ is really about segmentation.
More precisely, a DMZ is about ensuring all externally accessible resources can only access internal security resources via some form of access control (if allowed at all).

None of that is Check Point specific.

 

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-01-25 06:10 AM
In response to Libor_Kovar
Jump to solution

It depends are those public IPs on your WAF/LB or actual hosts?

It helps to provide a clearer picture or risk getting sub optimal advice.

CCSM R77/R80/ELITE
0 Kudos
Libor_Kovar
Contributor
‎2022-01-25 06:38 AM
In response to Chris_Atkinson
Jump to solution

Just generic hosts

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-01-25 07:58 AM
In response to Libor_Kovar
Jump to solution

I suppose an argument could be made that NATting inbound traffic into a privately-addressed DMZ does provide some "security through obscurity" by hiding the server's true inside address from the outside world.  In some cases this true address will need to be known when trying certain types of exploit attempts against the server.  However there are so many ways that web servers in particular can leak their true IP address through error pages and such I'd say NATting really doesn't provide much security benefit, increases the complexity of the network slightly, and incurs some extra NAT processing on the firewall.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
Libor_Kovar
Contributor
‎2022-01-25 08:01 AM
In response to Timothy_Hall
Jump to solution

Thanks, exactly my opinion. But you know , new hire 🙂

 

0 Kudos
Ruan_Kotze
Advisor
‎2022-01-25 05:49 AM
Jump to solution

From a regulatory perspective, PCI-DSS for example mandates that no connection from an untrusted network i.e. partner or the internet is allowed to terminate in a trusted network, thus forcing you to use DMZ's.  You will find that many other frameworks (CIS, NIST etc.) also require, or at least strongly recommend, the use of external-facing DMZ's.

From a design perspective, I cannot see how a properly designed DMZ is more insecure than a straight NAT to the inside.  For one it will certainly complicate lateral movement post-breach.

0 Kudos
Libor_Kovar
Contributor
‎2022-01-25 08:05 AM
Jump to solution

Thanks to all !

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top