DMZ or NAT for web server

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
Not applicable

DMZ or NAT for web server

Hi there,

I'm looking for some insight on the best security design for several externally accessible web applications. We have several public IP addresses available and can simply do a 1:1 NAT for each web server, put it in a DMZ, or both. Each web server has an internal SQL database to complicate things. From a best security perspective i'm not sure if a 1:1 NAT will work fine or if i should use a DMZ. I would still like to allocate 1 public IP address per web server.

thx

Tags (4)

Accepted Solutions
Highlighted
L4 Transporter

Hello,

You can do both, since these are externally accessible servers you can install them in a separate zone from your LAN and do static 1:1 NAT for public access to these servers. Then configure a policy to allow outside access to the webservers on DMZ (if needed restrict the services allowed for more security). Document suggested above is a good reference.

When you mention each server has an internal sql database, do they have to access internal production database on your LAN? However, you should be able to configure security policies accordingly for the servers to talk between zones.


Hope that helps!


Thanks,

Aditi

View solution in original post


All Replies
Highlighted
L5 Sessionator

You can have your servers in the DMZ zone and then do a 1:1 dnat for your servers. Something similar to the example given in page 15 of this doc https://live.paloaltonetworks.com/docs/DOC-1517

Highlighted
L5 Sessionator

I,

In my mind, the best security thing should be

     - Using DMZ

     - Using reverse Proxy in DMZ

     - Install your server in an other zone

Concerning NAT, 1:1 nat is ok

Then allow access from outside to your DMZ. then open access from dmz to your web server.

V.

Highlighted
L4 Transporter

Hello,

You can do both, since these are externally accessible servers you can install them in a separate zone from your LAN and do static 1:1 NAT for public access to these servers. Then configure a policy to allow outside access to the webservers on DMZ (if needed restrict the services allowed for more security). Document suggested above is a good reference.

When you mention each server has an internal sql database, do they have to access internal production database on your LAN? However, you should be able to configure security policies accordingly for the servers to talk between zones.


Hope that helps!


Thanks,

Aditi

View solution in original post

Highlighted
Not applicable

basically, they are 3rd party applications with web interfaces. Currently, everything is on the LAN (web server and SQL server) but i'm implementing a new PA-3020 and may utilize a DMZ for the web server and keep the sql box on the LAN, and like you say, just have the DMZ zone and trust zone communicate. Thanks for the reply, i'm going to have a look at that document now.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!