[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] What is recommended way to address a DMZ?

To: [email protected]
Subject: Re: [FW-1] What is recommended way to address a DMZ?
From: Randy Allen <[email protected]>
Date: Mon, 16 Dec 2002 16:40:03 -0600
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Title: RE: [FW-1] What is recommended way to address a DMZ?

I would have to agree with Raymond. A lot will depend on what services you are running in your DMZ. If you are using something like SSL on your FTP server you will need a legal address if your clients are using NAT. It won't work with double NAT, at least that is what WS-FTP is telling us. You will want to make this decision early so you won't have to go back and subnet later and change a bunch of addresses. As far as security goes, you will still have the same access control with FW-1.

-----Original Message-----
From: Shelton, Raymond A. [mailto:[email protected]]
Sent: Monday, December 16, 2002 11:41 AM
To: [email protected]
Subject: Re: [FW-1] What is recommended way to address a DMZ?

If you can, avoid NAT, for it does break certain applications; minimally, it does deviate from the design prinicples and nature of an "end to end" network (and practically, well...merely search the internet for keywords "firewall-1", "nat" and "problem.")

My US$0.02 -- bring on your out of the office autoresponders!

-----Original Message-----
From: Hal Dorsman [mailto:[email protected]]
Sent: Monday, December 16, 2002 11:17 AM
To: [email protected]
Subject: Re: [FW-1] What is recommended way to address a DMZ?

I agree both work equally well, although NAT would have a slightly
higher overhead on your server, but if your server is scaled properly
it shouldn't matter. I would think the only deciding factor would be
available IP subnets. If you have an adequately large legal subnet to
allocate to your server farm, I would go that way to avoid the slightly
more complex issues of NATing. If you have limited IP's, NAT is the
ideal solution since you can do a one to one mapping of legal to internal
private IP's without wasting any IPs.

Hal

Hal Dorsman
Network Administrator
Rocky Mountain Elk Foundation
Missoula, Montana USA
[email protected]

> -----Original Message-----
> From: Julian Burton [mailto:[email protected]]
> Sent: Monday, December 16, 2002 9:45 AM
> To: [email protected]
> Subject: Re: [FW-1] What is recommended way to address a DMZ?
>
>
> I've been involved with both in my time!
> Others may have opinions on the advisability of public vs. private
> addresses, but I can tell you that both work equally well.
> Currently we run private addressing with NAT - mainly due to the small
> number of public addresses we have.
>
> Julian
>
>
>
> |---------+---------------------------------------------->
> |         |           F�bio Rocha <[email protected]>    |
> |         |           Sent by: Mailing list for          |
> |         |           discussion of Firewall-1           |
> |         |           <[email protected]|
> |         |           kpoint.com>                        |
> |         |                                              |
> |         |                                              |
> |         |           16/12/2002 13:45                   |
> |         |           Please respond to Mailing list for |
> |         |           discussion of Firewall-1           |
> |         |                                              |
> |---------+---------------------------------------------->
>
> >-------------------------------------------------------------
> ---------------------------------------------------------------------|
>   |
>
>          |
>   |       To:
> [email protected]
>                                                    |
>   |       cc:
>
>          |
>   |       Subject: [FW-1] What is recommended way to address
> a DMZ?
>          |
>
> >-------------------------------------------------------------
> ---------------------------------------------------------------------|
>
>
>
>
> Hi all,
>
> I need to create a DMZ on my firewall and I have been
> thinking how I should
> address it, the possibilities are:
>
> 1. Use public Internet addresses.
> 2. Use private addresses and do the required translations on
> the firewall.
>
> What is the best to do? What are the pros and cons of each addressing
> method? I would like to hear your opinions on the subject.
>
> Thanks in advance,
> F�bio Rocha.
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> ______________________________________________________________
> __________
> This e-mail has been scanned for all viruses by Star Internet.
>
>
>
>
>
>
>
> **********************************************************************
> Zenith Insurance Management Limited    Registered No. 3805632
> Registered @ Zenith House, Market Place, Haywards Heath,
> West Sus, RH16 1DB.
>
> NOTICE:
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the [email protected] and delete the message
> and any attachments accompanying it immediately.
>
> **********************************************************************
>
>
> ______________________________________________________________
> __________
> This e-mail has been scanned for all viruses by Star Internet.
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] Internal Error [12]
Next by Date: Re: [FW-1] CPU utilization on IPSO (throughput issues).
Prev by thread: Re: [FW-1] What is recommended way to address a DMZ?
Next by thread: Re: [FW-1] What is recommended way to address a DMZ?
Index(es):
- Date
- Thread