RE: [FW1] Opinon Requested - to NAT or not to NAT DMZ Addresses

[bandit@FW1-NOSPAMzcore.net (Carl E. Mankinen)]

Why would you want to use NAT on DMZ devices?

If you are running NT and you stop the firewall services (or they crash for instance),

then it will route all packets to those DMZ servers regardless of rulebase etc.

(obviously, the fw-1 service is not controlling packets and the OS is acting as a

dumb router.)

 

If you NAT the DMZ legs, then in the case of your firewall services failing they

will not be vulnerable.

 

I haven't really seen any performance problems at all.

FW-1 seems amazingly efficient for what it does.

-----Original Message-----
From: owner-fw-1-mailinglist@lists.us.checkpoint.com [mailto:owner-fw-1-mailinglist@lists.us.checkpoint.com]On Behalf Of CryptoTech
Sent: Saturday, November 11, 2000 9:20 AM
To: Brian Burns
Cc: fw-1-mailinglist@lists.us.checkpoint.com
Subject: Re: [FW1] Opinon Requested - to NAT or not to NAT DMZ Addresses

Speed.  Firewall load.  Latency.  NAT modifies every packet involved in the rule, and thus add latency.  If you are running 100mb or higher, you probably don't want to use nat

HTH,
CryptoTech

Brian Burns wrote:

I am doing a redesign of our existing network and have been asked to use private addressing with NAT. I am not pro/against it - but I have always used valid addresses on my DMZ servers. So... why would one want to use NAT on your DMZ devices? Comments? Brian