Which is what I meant by "any access rule allowing access" :) On Dec 31, 2009, at 10:14 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx<mailto:tshinder@xxxxxxxxxxx>> wrote: “A route would be less secure since any compromise of a DMZ asset would result in any access rules automatically allowing access into the internal network” Only if you create rules that allow it. Just because it’s set to route doesn’t create a carte blanche access rule. From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Thursday, December 31, 2009 11:59 AM To: <mailto:isalist@xxxxxxxxxxxxx> isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] DMZ Route vs NAT So, Steve and I were discussing network topologies the other day as we often do, and we were talking about the network relationship between the internal network and one’s DMZ perimeter in regard to “best practices” and security. I always like to set up a NAT relationship from the internal network to the DMZ perimeter and set publishing rules from the DMZ to internal if necessary, i.e. SMTP publishing. I’ll publish SMTP from the Internet to the DMZ edge, process mail, and then publish from the DMZ to the Internal Exchange box. However, I think most people use a “route” for ease of management. A route would be less secure since any compromise of a DMZ asset would result in any access rules automatically allowing access into the internal network. Typically, a published service would have an application layer filter applied which would mitigate the leverage one could apply to such a compromise. What are the group thoughts on this? NAT is more difficult to manage given the “directional” aspects of the relationship as well as the added overhead of publishing anything where the DMZ unit must initiate connections to the internal network. I just wondered what the rest of you guys/gals did. T ____________________ Thor <thor@xxxxxxxxxxxxxxx>thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx> <www.hammerofgod.com>www.hammerofgod.com<http://www.hammerofgod.com> <image001.jpg> Think Carbon Footprint. Like mine on your ass if you print this you wasteful bastard!