Why
would you want to use NAT on DMZ devices?
If you
are running NT and you stop the firewall services (or they crash for
instance),
then
it will route all packets to those DMZ servers regardless of rulebase
etc.
(obviously, the fw-1 service is not controlling packets and the OS is
acting as a
dumb
router.)
If you
NAT the DMZ legs, then in the case of your firewall services failing
they
will
not be vulnerable.
I
haven't really seen any performance problems at all.
FW-1
seems amazingly efficient for what it does.
Speed. Firewall load. Latency.
NAT modifies every packet involved in the rule, and thus add latency. If
you are running 100mb or higher, you probably don't want to use nat
HTH, CryptoTech
Brian Burns wrote:
I am doing a redesign of our existing network
and have been asked to use private addressing with NAT. I am not pro/against
it - but I have always used valid addresses on my DMZ
servers. So... why would
one want to use NAT on your DMZ devices? Comments? Brian
|