Stupid question about assigning an internal ip vs external ip to web server

I have a web server that was setup by a guy before that is currently
assigned a private ip. An iptables firewall uses NAT to translate from
the public ip address.

My belief is that the most logical setup is add a NIC to the iptables
machine and setup a DMZ with the web server having the public ip
address.

Other than isolating the machine with a DMZ, is there any
advantages/disadvantages in terms of security and usability for
external/internal users of using a Public vs Private IP on a web server?

On 2006-12-20, extremesanity <(E-Mail Removed)> wrote:
> My belief is that the most logical setup is add a NIC to the iptables
> machine and setup a DMZ with the web server having the public ip
> address.

That could be, but you still need to use NAT to translate the
public IP into the private IP of the DMZ.

> external/internal users of using a Public vs Private IP on a web server?

If you have the machine in a DMZ it's outside the 'normal' internet so
it's supposed to be in a separate space of the office and it becomes
less accessible (physically), for the rest, since both system uses
NAT, it mostly depends on what you want from the machine.

Davide

--
"I'm sorry, I can't be a Jehovah's Witness, as I didn't see Jehovah's
accident."
-- Chris Suslowicz

extremesanity wrote:
> I have a web server that was setup by a guy before that is currently
> assigned a private ip. An iptables firewall uses NAT to translate from
> the public ip address.
>
> My belief is that the most logical setup is add a NIC to the iptables
> machine and setup a DMZ with the web server having the public ip
> address.
>
> Other than isolating the machine with a DMZ, is there any
> advantages/disadvantages in terms of security and usability for
> external/internal users of using a Public vs Private IP on a web server?

In the context of simple NAT routers, these terms both refer to a
private address to which all unsolicited traffic will be passed. This
means that the protection of NAT is removed from that computer and
external hosts can initiate conversations with it (on any port). This
definition of 'DMZ' conflicts with the more general definition as a
section of a network between exterior and interior firewalls where
publicly accessible servers are usually placed. A 'real' DMZ provides
separation of the servers placed within it and the private network, a
'NAT box DMZ' does not.

This feature is present in almost all NAT devices and is used where
inbound connections to a range of ports are required and it is
impractical or impossible to accommodate them via port mappings. Note
that address translation still takes place and so this feature is not a
solution to NAT incompatibilities.

On Wed, 20 Dec 2006 10:50:46 -0800, extremesanity wrote:

> I have a web server that was setup by a guy before that is currently
> assigned a private ip. An iptables firewall uses NAT to translate from
> the public ip address.
>
> My belief is that the most logical setup is add a NIC to the iptables
> machine and setup a DMZ with the web server having the public ip
> address.

If I had a server that was being accessed from the Internet then I would
go with a DMZ setup. Simple reason being if the machine becomes
compromised the rest of your network is still protected.

There is no reason to NAT a machine that is in your DMZ as other have
said provided you have more then one public ip address (1 for the
firewall interface to the internet and one for the DMZ server). You can
run a public ip address in the DMZ. The firewall will know how to direct
the packet as log as it is configured correctly.

> Other than isolating the machine with a DMZ, is there any
> advantages/disadvantages in terms of security and usability for
> external/internal users of using a Public vs Private IP on a web server?

Advantage would be that should the box become compromised you can limit
what or how much damage it can do. For example I would never allow NEW
connection to come out of the DMZ. This way there is nothing the attacker
can do with the box except destroy your data on it.

Your users should see no difference in performance when it is moved to
then DMZ.

Disadvantages none.


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----