Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: DMZ Archtecture - Using public address space vs. using Private Ad dress space and NAT

From: Bill_Royds () pch gc ca
Date: Thu, 2 Aug 2001 16:38:19 -0400

That is not neccessarily true.
One can just as easily NAT to a public address space as to a private
space.
As a matter of fact, the best alternative is to use a public address space
but NAT is to another space at the firewall.
Since it is public, VPN's etc. have no problem.
But since it is not routed, you have whatever small security advantage NAT
gives you.
This is what we do, although the public space is a class C within internal
Class B.
The Internet routers have no route for internal space, (and drop all
packets to it).






To:
bernard_stapleton () exchange au ml com, firewall-wizards () nfr com,
'firewall-wizards () nfr com
cc:



Subject:
RE: [fw-wiz] DMZ Archtecture - Using public address space vs.    using
Private Ad dress space and NAT

Another reason for using private address space+NAT is a possible future
migration for another ISP. It's just a matter of changing the NAT rules in
the firewall.

If using public addresses in the DMZ machines, you'll have to change
config files, scripts using IP addresses, and only devil knows what
problems can surface. ;->


"Stapleton, Bernard (Australia)" <bernard_stapleton () exchange au ml com>

"'firewall-wizards () nfr com'" <firewall-wizards () nfr com>Date: Thu, 2 Aug
2001 01:04:28 +0900


Everyone,

We have started an interesting conversation at work at the moment,

regarding

whether to use public address space in our DMZs.

The idea of using public address space has its pros and cons.

Pro:

No address conflict with connecting to external partners. They can route
this space internally and so can you, without fear of conflict with

another

party.
No need for address translation / simplification of management
Ease of passing protocols that are difficult to firewall

Cons

Security risk if firewall host still routes if firewall software shutdown
More complex management

I was wondering if anyone on this list has anything to say about this

topic?

I would like to know what people might be doing internally themselves,

and

why they came to that decision.

Thanks

Berny









_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: