[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] RES: [FW-1] What is recommended way to address a DMZ?



We run our DMZ using internal ip addresses and NAT. We aren't running
netmeeting, which I know would break...
What I believe are minor advantages:

- I can place a server in the DMZ for testing and initial backups, fully
configured, but not accessable from the outside world since
there is no corresponding NAT entry.
- I can place an ip address on a device in the DMZ (such as a switch or
backup server) w/o worrying about it having a public ip address
- I can add virtual ip addresses to servers any time I want. For example, my
FTP server's main ip address is NATted on the firewall.  A second one is
used only for ssh access (using iptables to allow only ftp to one ip address
and ssh to the other).

Regards
David Glosser


----- Original Message -----
From: "F�bio Rocha" <[email protected]>
To: <[email protected]>
Sent: Monday, December 16, 2002 2:16 PM
Subject: [FW-1] RES: [FW-1] What is recommended way to address a DMZ?


> Thanks for your thoughts on the subject.
> But I am really interested in the security implications (if there are any)
> of using each addressing method.
>
> Regards,
> F�bio.
>
> -----Mensagem original-----
> De: Mailing list for discussion of Firewall-1
> [mailto:[email protected]]Em nome de Hal
> Dorsman
> Enviada em: segunda-feira, 16 de dezembro de 2002 14:17
> Para: [email protected]
> Assunto: Re: [FW-1] What is recommended way to address a DMZ?
>
>
> I agree both work equally well, although NAT would have a slightly
> higher overhead on your server, but if your server is scaled properly
> it shouldn't matter.  I would think the only deciding factor would be
> available IP subnets.  If you have an adequately large legal subnet to
> allocate to your server farm, I would go that way to avoid the slightly
> more complex issues of NATing.  If you have limited IP's, NAT is the
> ideal solution since you can do a one to one mapping of legal to internal
> private IP's without wasting any IPs.
>
> Hal
>
> Hal Dorsman
> Network Administrator
> Rocky Mountain Elk Foundation
> Missoula, Montana USA
> [email protected]
>>
>
> > -----Original Message-----
> > From: Julian Burton [mailto:[email protected]]
> > Sent: Monday, December 16, 2002 9:45 AM
> > To: [email protected]
> > Subject: Re: [FW-1] What is recommended way to address a DMZ?
> >
> >
> > I've been involved with both in my time!
> > Others may have opinions on the advisability of public vs. private
> > addresses, but I can tell you that both work equally well.
> > Currently we run private addressing with NAT - mainly due to the small
> > number of public addresses we have.
> >
> > Julian
> >
> >
> >
> > |---------+---------------------------------------------->
> > |         |           F�bio Rocha <[email protected]>    |
> > |         |           Sent by: Mailing list for          |
> > |         |           discussion of Firewall-1           |
> > |         |           <[email protected]|
> > |         |           kpoint.com>                        |
> > |         |                                              |
> > |         |                                              |
> > |         |           16/12/2002 13:45                   |
> > |         |           Please respond to Mailing list for |
> > |         |           discussion of Firewall-1           |
> > |         |                                              |
> > |---------+---------------------------------------------->
> >
> > >-------------------------------------------------------------
> > ---------------------------------------------------------------------|
> >   |
> >
> >          |
> >   |       To:
> > [email protected]
> >                                                    |
> >   |       cc:
> >
> >          |
> >   |       Subject:  [FW-1] What is recommended way to address
> > a DMZ?
> >          |
> >
> > >-------------------------------------------------------------
> > ---------------------------------------------------------------------|
> >
> >
> >
> >
> > Hi all,
> >
> > I need to create a DMZ on my firewall and I have been
> > thinking how I should
> > address it, the possibilities are:
> >
> > 1. Use public Internet addresses.
> > 2. Use private addresses and do the required translations on
> > the firewall.
> >
> > What is the best to do? What are the pros and cons of each addressing
> > method? I would like to hear your opinions on the subject.
> >
> > Thanks in advance,
> > F�bio Rocha.
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
> > ______________________________________________________________
> > __________
> > This e-mail has been scanned for all viruses by Star Internet.
> >
> >
> >
> >
> >
> >
> >
> > **********************************************************************
> > Zenith Insurance Management Limited    Registered No. 3805632
> > Registered @ Zenith House, Market Place, Haywards Heath,
> > West Sus, RH16 1DB.
> >
> > NOTICE:
> > This email and any files transmitted with it are confidential and
> > intended solely for the use of the individual or entity to whom they
> > are addressed. If you have received this email in error please notify
> > the [email protected] and delete the message
> > and any attachments accompanying it immediately.
> >
> > **********************************************************************
> >
> >
> > ______________________________________________________________
> > __________
> > This e-mail has been scanned for all viruses by Star Internet.
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================