[isalist] Re: DMZ Route vs NAT
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 31 Dec 2009 12:13:55 -0600
"A route would be less secure since any compromise of a DMZ asset would
result in any access rules automatically allowing access into the
internal network"
Only if you create rules that allow it. Just because it's set to route
doesn't create a carte blanche access rule.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Thursday, December 31, 2009 11:59 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] DMZ Route vs NAT
So, Steve and I were discussing network topologies the other day as we
often do, and we were talking about the network relationship between the
internal network and one's DMZ perimeter in regard to "best practices"
and security.
I always like to set up a NAT relationship from the internal network to
the DMZ perimeter and set publishing rules from the DMZ to internal if
necessary, i.e. SMTP publishing. I'll publish SMTP from the Internet to
the DMZ edge, process mail, and then publish from the DMZ to the
Internal Exchange box.
However, I think most people use a "route" for ease of management. A
route would be less secure since any compromise of a DMZ asset would
result in any access rules automatically allowing access into the
internal network. Typically, a published service would have an
application layer filter applied which would mitigate the leverage one
could apply to such a compromise.
What are the group thoughts on this? NAT is more difficult to manage
given the "directional" aspects of the relationship as well as the added
overhead of publishing anything where the DMZ unit must initiate
connections to the internal network.
I just wondered what the rest of you guys/gals did.
T
____________________
Thor
thor@xxxxxxxxxxxxxxx
www.hammerofgod.com
Think Carbon Footprint. Like mine on your ass if you print this you
wasteful bastard!
Other related posts:
