Hello, this is my first post to this forum so don't flame me.
I work for a small service provider, I have not worked for one before so I have no experence in this area.
At present our web servers use private IP address, incomming connections from the Internet are either NATed by the firewall directly to the web server or the public IP address is based on a load balancer which then passes the connetcion to the private IP address of the load balanced web servers.
I only allow through the firewall services I want to be able to get to the web servers E.G HTTP, HTTPS. This works well.
I will get to my question, do you as an service provider use public IP address on your web servers or do you also NAT and LB to private IP's.
NAT is as far as I am concerned used to expand address space and provides little in the way of security. It is also the most CPU and memory intensive task a firewall can do, which is why I am considering not NATing any more.
Having read some M$ documentation ment for service providers it is not clear if they recomend NAT or to use public IP. M$ do recomend a front net back net aproach, e.g, Internet sourced connetcions are passed by firewalls / load balancers to the front net. All DB connetcions and remote managment are made over the back net, seperating out external traffic from Internal traffic.
How do you do it (so to speak) Public IP's on web servers or private IP's with NAT and LBing?
We are not providers ourselves, but we are cooperating with the hosting industry. Since are small hosting company I guess you can do as follows:
First of all, you do not need NAT and private IP addresses, unless you are lacking IP addresses. The same effect you can achieve if you have the firewall in front of your servers. Configure your firewall to pass only required traffic (usually incoming HTTP, HTTPS, SSH, FTP, POP3, IMAP, SMTP, etc and all outgoing).
Second, if you need to have internal communications between your servers (e.g. for backup) you will install two network cards on each of your server, one with the external and one with internal IP address (back net, like you have said and as M$ recommended).
But the third, and the most important thing, is not to change your working configuration if you do not need to. If you are not having problems (current and potential) with you do not have to change anything.
This post is given on “as is” basis with no warranties whatsoever. Troxo disclaims any liability in connection with this post.