Firewall Wizards mailing list archives
RE: Internet accessible screened subnet - use public orprivateIPs?
From: <lordchariot () earthlink net>
Date: Mon, 25 Jul 2005 20:12:58 -0400
What about when IPv6 becomes predominant on the net? Am I mistaken that there doesn't seem to be any concept of NAT in the IPv6 specs? I could be wrong, but thought I found that somewhere? Erik
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of David Lang Sent: Friday, July 22, 2005 8:27 PM To: Victor Williams Cc: Dave Piscitello; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs? On Fri, 22 Jul 2005, Victor Williams wrote:Everyone has missed the point. The whole issue of using NAT or not has nothing to do withwork associatedwith either. The whole reason NAT was implemented wasbecause of a veryfinite (and quickly running out supply, dependending on whoyou ask) numberof publicly routable IP addresses. Instead of assigningevery machine thatwanted internet access a public IP address, it was justmore cost-effective(IP addresses cost money) to use NAT ormasquerading...whatever your lingois...to address those hosts that only needed outgoingaccess--who weren'tserving content.however, for a DMZ (the question that was asked) you are typicaly providing service to the Internet, and for that you run into a bunch of very interesting issues if you try to use NAT to reduce the number of IP addresses you use. David LangWhether you address your publicly accessible hosts directlywith public ipaddresses or you use static NAT translations is up to thepreference of theadministrator. If you have enough public IP addresses and$ isn't an object,then your preference for assigning them all public IPaddresses reallydoesn't make a difference. If you don't have enough publicIP addresses andyou have a limited budget and have to allow many serviceson the internetwith less public IP addresses, then it sounds like you'llbe using NAT orPAT. There is no clear-cut *better* way universally. Severaldifferent ways workif you have your head screwed on straight. My personal preference is to use private ip addresseseverywhere inside myfirewall...even in my DMZ. That way I control my public IPaddresses at onepoint only, and that's my firewall. If for some reason Ichange ISP's or myISP wants to change my IP address range (which hasn'thappened in over 9years), I make my IP address changes in two spots: myfirewall(s), and my DNSservers. Nothing else changes. To me, it's simpler.Others like to becomplicated...so YMMV. David Lang wrote:On Fri, 22 Jul 2005, Dave Piscitello wrote:Isn't this a question of whether you want to route or NAT? A server that is Internet-facing has to have (or bereachable via) apublic IP. If your ISP changes your block of public IPaddresses, youhave to change: 1) the mapping between your private IP addresses and thenew publicIP addresses (the static or 1:1 NAT case) or 2) the IP addresses of all the servers, the IPs of the trusted and external interfaces on the firewall, and the routing table (or routing protocol configuration) (2) seems like a whole lot more work to me.first off, how frequently does your ISP reallocate youraddress range?secondly you are ignoring all the other work that you needto do when thischange takes place. with all that in mind the differencein the amount ofwork seems a lot less. and as I said below, the trade off for simplifying thisrare occurance ofchangeing your IP range comes with day-to-day costs in running NAT. David LangOn 21 Jul 2005 at 18:28, David Lang wrote:On Thu, 21 Jul 2005, Paul D. Robertson wrote:On Fri, 15 Jul 2005, Matt Bazan wrote:Is there a preferred method of setting up a Internet facing screened subnet and the use of public or private IP addresses? Looking at redesinging our DMZ to only include public resources (www, smtp, imap, ftp). Presently we use a private IP address range for this that is NAT'ed at our firewall. Any reasons to change this policy to using public IPs in the DMZ? Thanks,If you're NATing to your internal network, then a rework is necessary- public stuff should be on its own(preferably) physicalsubnet. IP addressing doesn't matter much, since you'll be letting stuff through the most likely exploit vectors anyway.The thing I've been eharing for years about why NAT isbetter is thatyou may change ISP's and end up with a new set of IPaddresses whichare easier to change if you NAT. this may be true (I've actually never seen anyoneacutally DO this),but you are trading one-time headaches (which Ipersonally believe areno more severe then all the other changes that you needto make whenchanging things, firewalls, DNS, NAT tables, etc) forongoing overhead(performance on your NAT device, troubleshooting, bugs in the NAT implementation, overloading of the NAT tables, etc) I would definantly have things that server the Internetuse publicaddresses, once you get behind that layer and havedevices that onlytalk to internal stuff, then make it all private addresses. David Lang -- There are two ways of constructing a software design.One way is tomake it so simple that there are obviously nodeficiencies. And theother way is to make it so complicated that there are no obvious deficiencies. -- C.A.R. Hoare _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards-- There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. -- C.A.R. Hoare _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Internet accessible screened subnet - use public or private IPs? Matt Bazan (Jul 21)
- Re: Internet accessible screened subnet - use public or private IPs? Paul D. Robertson (Jul 21)
- Re: Internet accessible screened subnet - use public orprivate IPs? David Lang (Jul 21)
- Re: Internet accessible screened subnet - use public orprivate IPs? Dave Piscitello (Jul 22)
- Re: Internet accessible screened subnet - use public orprivate IPs? David Lang (Jul 22)
- Re: Internet accessible screened subnet - use public orprivate IPs? Victor Williams (Jul 25)
- Re: Internet accessible screened subnet - use public orprivateIPs? David Lang (Jul 25)
- Re: Internet accessible screened subnet - use public orprivateIPs? Victor Williams (Jul 25)
- RE: Internet accessible screened subnet - use public orprivateIPs? lordchariot (Jul 25)
- RE: Internet accessible screened subnet - use public orprivateIPs? Marcus J. Ranum (Jul 26)
- RE: Internet accessible screened subnet - use public orprivateIPs? R. DuFresne (Jul 27)
- RE: Internet accessible screened subnet - use public orprivateIPs? Luis Bruno (Jul 30)
- RE: Internet accessible screened subnet - use public orprivateIPs? Paul D. Robertson (Jul 30)
- Re: Internet accessible screened subnet - use public orprivate IPs? David Lang (Jul 21)
- Re: Internet accessible screened subnet - use public orprivateIPs? Dale W. Carder (Jul 30)
- Re: Internet accessible screened subnet - use public or private IPs? Paul D. Robertson (Jul 21)
- Re: Internet accessible screened subnet - use public orprivate IPs? Marcus J. Ranum (Jul 26)
- RE: Internet accessible screened subnet - use public or private IPs? Sanford Reed (Jul 25)
- <Possible follow-ups>
- RE: Internet accessible screened subnet - use public or private IPs? Behm, Jeffrey L. (Jul 26)