none
a two NIC server

    Question

  • If we have an domain joined server running an application that people need to access from Internet, is it better to NAT directly to a single internal IP address, or have IPs ( two NICs ), one in our DMZ ( our DMZ is firewalled, but less restrictive ) and one internal, and then NAT to the IP in our DMZ instead? I can give more details but I am hoping someone has used a product "like" MobilEcho ( not going to use reverse proxy, long story ). Really what I want to know is which scenerio is more secure... or does it not matter?

    Thursday, March 07, 2013 2:10 AM

Answers

  • In reality, I run plenty of servers that are web facing.  Limit access in the firewall, patch your server and have REALLY good passwords.  With only two NICs it really comes down to which item you are more concerned about:

    1)  Traffic filter and security from hackers (2NICs - 1 in DMZ and 1 in domain network ).  However if this DOES get compromised, now they have access to your internal network.

    2) Fault-tolerance of the NICs (Teamed NICs and the 1 NIC scenario completely in the DMZ)

    3) Simplicity of the setup and troubleshooting (1 NIC and completely in the DMZ)


    C Shane Cribbs
    http://www.georgiatechnologies.com

    Thursday, March 07, 2013 8:58 PM
  • In theory using two NICs and IPs would provide you the ability to be more secure, because you will have multiple firewalls with more restrictions protecting the DMZ NIC and can allow more administration through the internal NIC.  However, there are some settings that have to be configured to make a multi-homed server route traffic correctly.  It will depend on the service you are providing on the DMZ.  If you configure it incorrectly, it will be less secure.  SO, two NICs more secure in theory but more work.  One NIC, simple and theoretically slightly less secure.


    C Shane Cribbs
    http://www.georgiatechnologies.com

    Thursday, March 07, 2013 2:53 PM

All replies

  • In theory using two NICs and IPs would provide you the ability to be more secure, because you will have multiple firewalls with more restrictions protecting the DMZ NIC and can allow more administration through the internal NIC.  However, there are some settings that have to be configured to make a multi-homed server route traffic correctly.  It will depend on the service you are providing on the DMZ.  If you configure it incorrectly, it will be less secure.  SO, two NICs more secure in theory but more work.  One NIC, simple and theoretically slightly less secure.


    C Shane Cribbs
    http://www.georgiatechnologies.com

    Thursday, March 07, 2013 2:53 PM
  • I do not agree. I do not see how the dual NIC design is more or less secure.  With regard to security, you have to consider complexity.  Sometimes, a more complex design is less secure because of the overhead it adds in ensuring that the additional layers are configured and working correctly.  

    I think you have more control with a single NIC design, thus leading to better security.


    IT Knowledge Base | itgeared.com |

    Thursday, March 07, 2013 3:43 PM
  • I agree complexity is increased.  I also mentioned your point in my post, that if you don't do it right, it will actually be less secure.  However, if done correctly:

    1. The DMZ NIC will only have TCP/IP enabled, not Microsoft Client or File and Printing or any of those unnecessary protocols.
    2. The DMZ NIC will be protected by the perimeter firewall.  This is not really different than the single NIC model, however.
    3. The DMZ NIC will have a host based firewall, like the Windows Firewall, which can be secured to a very SMALL number of ports/services.
    4. The internal NIC can be used for internal administration and will NOT be accessible in any way by the outside world.


    C Shane Cribbs
    http://www.georgiatechnologies.com

    Thursday, March 07, 2013 3:52 PM
  • Honestly, using a two NIC scenario with the DMZ is indeed probably more secure - if only slightly. I agree with Shane on that point. I also agree that it does create more work when your server is multi-homed. I have used multi-homed servers without much hassle in the past however, and find that you can get away with it in many circumstances.

    With all that being said... If it were me, I'd team the two NICs for fail-over and use a single IP scenario. I believe protecting the NIC from failure is more important than a slightly more secure connection in this case - but that's just me. Maybe you have security requirements you need to adhere to, security audits to go through, etc. I have worked with a lot of single IP NAT to servers and staying on top of updates generally mitigates lots of risks. Of course, the other factor is in how advanced your firewall is. For example, you may be able to filter out certain types of traffic coming through that are seen as increased security risks, regardless of NAT.

    I don't know that there is a right or wrong answer here as I believe it depends on your specific situation. Just my two cents. Good luck!


    John :: MCTS, Network+ :: May your bits always flow impartially

    Thursday, March 07, 2013 6:37 PM
  • I believe it's equal as someone gets access to this machine it still has access to internal network in both cases. I would suggest to only have it in DMZ in that case. If it would have been me I would most likely just place it on the internal network directly if its a machine that needs/should be domain joined.

    --
    Goran Johansson
    http://gjohansson.com/blog

    Thursday, March 07, 2013 6:42 PM
  •  

    I am beginning to think that it would depend on the type of threat (ex. tftp, rdp, etc..) but if each scenario was at its best, which scenario wins? If each were at it worst, which scenario wins? Is there specific examples? There is something about allowing an application that must be installed on a domain joined server that makes me nervous. If the second NIC in the DMZ did some sort of "masking", I would be all for it ( all things being equal )

    Otherwise, I would settle with which scenario is "technically" better. I really appreciate your replies.

    Thursday, March 07, 2013 8:49 PM
  • In reality, I run plenty of servers that are web facing.  Limit access in the firewall, patch your server and have REALLY good passwords.  With only two NICs it really comes down to which item you are more concerned about:

    1)  Traffic filter and security from hackers (2NICs - 1 in DMZ and 1 in domain network ).  However if this DOES get compromised, now they have access to your internal network.

    2) Fault-tolerance of the NICs (Teamed NICs and the 1 NIC scenario completely in the DMZ)

    3) Simplicity of the setup and troubleshooting (1 NIC and completely in the DMZ)


    C Shane Cribbs
    http://www.georgiatechnologies.com

    Thursday, March 07, 2013 8:58 PM