DMZs: NATing vs. Using Public Addresses


Here’s a snip from a forum question that I’m getting ready to write a little piece on. My response is crude, but my next version of the response will be more intelligent.

With private addresses you have an extra step that must actively be carried out. If you don’t do the NAT’ing it then by default nothing will make it to those hosts to the Internet.

In other words, with routable addresses, the default configuration takes Internet traffic to your DMZ hosts, whereas with NAT’ing there’s an extra piece that’s needed.

Think of it as two layers — knowing where to send Internet traffic, and determining whether it’s allowed or not. Well, with routable addresses any request to a port on a DMZ host knows where to go — right to the host. But if you use granular NAT rules you won’t have that. You can say, for example:

external1:80 –> internal1:80

Notice how specific that is. A connection to port 110 on external1 won’t take the traffic anywhere inside. 🙂 With routable addresses, that traffic goes inside by default and it’s up to filtering to stop it.

I prefer it the other way, where you have to explicitly allow specific host:port translations. Perhaps he has a good point about the complexity not being worth it, though — it’s up to you guys to quantify the cost vs. benefit of doing this.

But to answer your question — yes, there is a benefit security-wise, but it’s mostly based on countering human weakness, i.e. poor configuration. You can attain the same security level using filtering; it’s just that that many don’t.

You guys have anything to add as far as benefits of using NAT vs. public IPs?

Related posts: