[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] DMZ setup



>>> [email protected] 10/25/02 08:57AM >>>
Question:
Can anyone point me to a resource or FAQ to get info on setting up a
separate physical DMZ interface using Public IPs (non-NAT)?

Answer: The ip address on a dmz can be public or private.  If you use public addresses, it is slightly less secure because there is no longer a need to NAT addresses to an ip range that's not accessible from the internet.  However, the firewall will limit access to these hosts based on your rules.


Question:
 does the DMZ interface itself require a routable (public) IP in this mode?

Answer:  the physical dmz interface requires an ip address on the same subnet as the other hosts on the dmz, so if your hosts have public ips, the dmz interface has to have a public ip.

Question:
Is it worse from a
security standpoint than using NAT (as long as physically separate from
the LAN interface)?

Answer:
Again, it is slightly less secure, only because the public addresses are accessible from the internet, where as private ip's are not. (that's why you have to NAT them....).
A good rulebase will still provide the protection you need.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================