[isalist] Re: DMZ Route vs NAT

  • From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 31 Dec 2009 10:38:09 -0800

Which is what I meant by "any access rule allowing access" :)



On Dec 31, 2009, at 10:14 AM, "Thomas W Shinder" 
<tshinder@xxxxxxxxxxx<mailto:tshinder@xxxxxxxxxxx>> wrote:

“A route would be less secure since any compromise of a DMZ asset would result 
in any access rules automatically allowing access into the internal network”

Only if you create rules that allow it. Just because it’s set to route doesn’t 
create a carte blanche access rule.

From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Thursday, December 31, 2009 11:59 AM
To: <mailto:isalist@xxxxxxxxxxxxx> 
isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] DMZ Route vs NAT

So, Steve and I were discussing network topologies the other day as we often 
do, and we were talking about the network relationship between the internal 
network and one’s DMZ perimeter in regard to “best practices” and security.

I always like to set up a NAT relationship from the internal network to the DMZ 
perimeter and set publishing rules from the DMZ to internal if necessary, i.e. 
SMTP publishing.  I’ll publish SMTP from the Internet to the DMZ edge, process 
mail, and then publish from the DMZ to the Internal Exchange box.

However, I think most people use a “route” for ease of management.  A route 
would be less secure since any compromise of a DMZ asset would result in any 
access rules automatically allowing access into the internal network.  
Typically,  a published service would have an application layer filter applied 
which would mitigate the leverage one could apply to such a compromise.

What are the group thoughts on this?  NAT is more difficult to manage given the 
“directional” aspects of the relationship as well as the added overhead of 
publishing anything where the DMZ unit must initiate connections to the 
internal network.

I just wondered what the rest of you guys/gals did.

T

____________________
Thor
<thor@xxxxxxxxxxxxxxx>thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>
<www.hammerofgod.com>www.hammerofgod.com<http://www.hammerofgod.com>

<image001.jpg>  Think Carbon Footprint.  Like mine on your ass if you print 
this you wasteful bastard!




Other related posts: