09-04-2013 10:39 PM
Hi there,
I'm looking for some insight on the best security design for several externally accessible web applications. We have several public IP addresses available and can simply do a 1:1 NAT for each web server, put it in a DMZ, or both. Each web server has an internal SQL database to complicate things. From a best security perspective i'm not sure if a 1:1 NAT will work fine or if i should use a DMZ. I would still like to allocate 1 public IP address per web server.
thx
09-05-2013 07:59 AM
Hello,
You can do both, since these are externally accessible servers you can install them in a separate zone from your LAN and do static 1:1 NAT for public access to these servers. Then configure a policy to allow outside access to the webservers on DMZ (if needed restrict the services allowed for more security). Document suggested above is a good reference.
When you mention each server has an internal sql database, do they have to access internal production database on your LAN? However, you should be able to configure security policies accordingly for the servers to talk between zones.
Hope that helps!
Thanks,
Aditi
09-04-2013 11:34 PM
You can have your servers in the DMZ zone and then do a 1:1 dnat for your servers. Something similar to the example given in page 15 of this doc https://live.paloaltonetworks.com/docs/DOC-1517
09-05-2013 02:09 AM
I,
In my mind, the best security thing should be
- Using DMZ
- Using reverse Proxy in DMZ
- Install your server in an other zone
Concerning NAT, 1:1 nat is ok
Then allow access from outside to your DMZ. then open access from dmz to your web server.
V.
09-05-2013 07:59 AM
Hello,
You can do both, since these are externally accessible servers you can install them in a separate zone from your LAN and do static 1:1 NAT for public access to these servers. Then configure a policy to allow outside access to the webservers on DMZ (if needed restrict the services allowed for more security). Document suggested above is a good reference.
When you mention each server has an internal sql database, do they have to access internal production database on your LAN? However, you should be able to configure security policies accordingly for the servers to talk between zones.
Hope that helps!
Thanks,
Aditi
09-05-2013 09:33 AM
basically, they are 3rd party applications with web interfaces. Currently, everything is on the LAN (web server and SQL server) but i'm implementing a new PA-3020 and may utilize a DMZ for the web server and keep the sql box on the LAN, and like you say, just have the DMZ zone and trust zone communicate. Thanks for the reply, i'm going to have a look at that document now.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
