[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Why should the firewall be the NAT boundery?
Well. There is no 100% convincing answer, so I'll give you the arguments I always use. First, the firewall is the logical edge point of your network, i.e. transition point between your private and public networks (including your DMZ). Second, from a security stand point, your are probably better off doing the NAT at the firewall or the filtering router behind it, rather then the screening router in front of your firewall. Routers are easy to hack and having your networks mapped by the NAT rules makes the hacker's recon mission a walk in the park. Third, I think NAT requires process switching and the firewall server will handle that better than the router, because it usually has a better processor and much more memory. Finally, from a support perspective, troubleshooting becomes easier and the firewall admin becomes the central point of escalation for connectivity problems (simpler support model makes managers happy) ;-) George -----Original Message----- From: Harjot Sekhon [mailto:[email protected]] Sent: Friday, May 04, 2001 10:36 AM To: 'Paul Murphy'; [email protected] Subject: RE: [FW1] Why should the firewall be the NAT boundery? Hi Paul, Clarification, you are trying to VPN into your internal network via the firewall with SecuRemote. If so, then the firewall needs an offical IP on the external segment. Does the external router perform static NAT or dynamic NAT for the firewall ? What VPN encryption scheme are you trying to use ? Thanks, Harjot (Joe) Sekhon AT&T Canada - IES Security Engineer -----Original Message----- From: Paul Murphy [mailto:[email protected]] Sent: Friday, May 04, 2001 5:17 AM To: [email protected] Subject: [FW1] Why should the firewall be the NAT boundery? I would agree with this, but it needs more explanation. I'm not sure I could offer a complete explanation, so... Why should FW-1 be the NAT boundery? >>> "Juppunov, George" <[email protected]> 5/2/2001 10:27:18 pm >>> No. Don't do it. Make the firewall your NAT boundary. George > -----Original Message----- > From: [email protected] [SMTP:[email protected]] > Sent: Wednesday, May 02, 2001 9:09 AM > To: [email protected] > Subject: [FW1] FW with NAT behind router > > > > > Hi there, > > has anybody made it to get FW-1 run like this? > > LAN <- inofficial IP -> FW1 <- inofficial IP -> Router <- official IP -> > Internet <- official IP -> SecuRemote > > I use static NAT on the router between FW-1 and the Internet (need to be > like > this). > > I already looked on phoneboy but didn?t find anything... > Maybe one of you knows...? > > Regards, > Marco > > > > > ========================================================================== > ====== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ========================================================================== > ====== > > _____________________________________________________________________ IMPORTANT NOTICES: This message is intended only for the addressee. Please notify the sender by e-mail if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its contents to any other person and any such actions may be unlawful. Banc of America Securities LLC("BAS") does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via e-mail. BAS reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the BAS e-mail system. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ---------------------------------------------------------------------------- ----------------------------------------------- CRESTCo Ltd. The views expressed above are not necessarily those 33 Cannon Street. held by CRESTCo Limited. London EC4M 5SB (UK) +44 (020) 7849 0000 http://www.crestco.co.uk ---------------------------------------------------------------------------- ----------------------------------------------- ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ----- This message was scanned by Aladdin/eSafe Protection Gateway in coordination with Check Point Firewall-1. This protection does not ensure this message is virus free, however every precaution possible has been taken on our part. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== _____________________________________________________________________ IMPORTANT NOTICES: This message is intended only for the addressee. Please notify the sender by e-mail if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its contents to any other person and any such actions may be unlawful. Banc of America Securities LLC("BAS") does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via e-mail. BAS reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the BAS e-mail system. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|