DMZ VS. Isolated LAN VS. different public IP for Web Services

Hello everyone,

I have some servers with open port on WAN, because of several web services running. Web servers, FTP, data acquisition MQTT and others.

Can i please have your oppinion and suggestions on how to handle this in relation to protecting all other network resources that are not needed to be exposed. So i’m considering DMZ, isolated LAN’s and different public IP without open ports, or a compination of those.

So the scenarios are the following:

  1. First firewall doing port forward or 1:1 NAT to servers for web services. Then another firewall to the same LAN (or another LAN) taking care of protected network behind first firewall. (classic DMZ topology using 2 firewalls).

  2. First firewall doing port forward or 1:1 NAT to servers for web services on LAN1, and complete isolate all other network resources on LAN2 without traffic between them, or controlled traffic through firewall rules. (Isolated Lan’s topology)

  3. Use different Public IP for LAN2 with none open port.

  4. Compination of 1 & 2.

Thanks for any comments.

I would create a separate isolated network for the servers and only port forward the needed ports for the services you want to run to each server.

1 Like

Thanks a lot for your comment!