Firewall Wizards mailing list archives
RE: DMZ Archtecture - Using public address space vs. using Private Ad dress space and NAT
From: Bill_Royds () pch gc ca
Date: Thu, 2 Aug 2001 16:38:19 -0400
That is not neccessarily true. One can just as easily NAT to a public address space as to a private space. As a matter of fact, the best alternative is to use a public address space but NAT is to another space at the firewall. Since it is public, VPN's etc. have no problem. But since it is not routed, you have whatever small security advantage NAT gives you. This is what we do, although the public space is a class C within internal Class B. The Internet routers have no route for internal space, (and drop all packets to it). To: bernard_stapleton () exchange au ml com, firewall-wizards () nfr com, 'firewall-wizards () nfr com cc: Subject: RE: [fw-wiz] DMZ Archtecture - Using public address space vs. using Private Ad dress space and NAT Another reason for using private address space+NAT is a possible future migration for another ISP. It's just a matter of changing the NAT rules in the firewall. If using public addresses in the DMZ machines, you'll have to change config files, scripts using IP addresses, and only devil knows what problems can surface. ;->
"Stapleton, Bernard (Australia)" <bernard_stapleton () exchange au ml com>
"'firewall-wizards () nfr com'" <firewall-wizards () nfr com>Date: Thu, 2 Aug 2001 01:04:28 +0900
Everyone, We have started an interesting conversation at work at the moment,
regarding
whether to use public address space in our DMZs. The idea of using public address space has its pros and cons. Pro: No address conflict with connecting to external partners. They can route this space internally and so can you, without fear of conflict with
another
party. No need for address translation / simplification of management Ease of passing protocols that are difficult to firewall Cons Security risk if firewall host still routes if firewall software shutdown More complex management I was wondering if anyone on this list has anything to say about this
topic?
I would like to know what people might be doing internally themselves,
and
why they came to that decision. Thanks Berny
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: DMZ Archtecture - Using public address space vs. using Private Ad dress space and NAT Bill_Royds (Aug 04)