Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: DMZ Archtecture - Using public address space vs. usi ng Private Ad dress space and NAT

From: "Stapleton, Bernard (Australia)" <bernard_stapleton () exchange au ml com>
Date: Tue, 7 Aug 2001 21:10:57 -0400
Jeffrey has brought up a good point here I think. (And sorry for this late reply)

I haven't been all that clear in what we run, or what we do.

We do have portable address space. 8 class C's to be precise. This is the result of an acquisition a little while ago. 
We are considering using one of these C's subnetted up for our DMZ space.

Previously, we had made the decision that we would use 192.168 space for anything that didn't have to leave our region 
for the global network, we have the first half of a B for our internal network.

We do have VPN users that come in, they are being routed on a subnet of our half B, this is one of our DMZs. 

We have other people that we connect to, usually by leased line or ISDN. One of these people has come up and said that 
we want to use private network x.x.x.x which is being used elsewhere within our
global network.

At the moment, I am rebuilding our firewalls to be GigE with VLAN tagging as we have passed the point of 12 DMZs, we 
are basically running one DMZ for every person that we connect to.

I from a security perspective would say NAT everything so that our routers don't see the route, and if the firewall 
doesn't NAT it, then nothing can get to it. If you are routing, and a security hole
comes up, that lets you bypass the rulebase for whatever reason, if it is routed, you can just jump straight past.

This is my concern really, or am I just being WAY too paranoid?

Berny

-----Original Message-----
From: Behm, Jeffrey L. [mailto:BehmJL () bvsg com] 
Sent: Monday, 6 August 2001 04:38 AM
To: firewall-wizards () nfr com
Subject: RE: [fw-wiz] DMZ Archtecture - Using public address space vs. usi ng Private Ad dress space and NAT



IMHO, this is not a particularly strong reason to make a high-impact 
architectural decision like RFC1918 and NAT.  Major upheavals like 
moving a site from one ISP's address space to another is a big 
challenge for many reasons, changing the addresses should be a 
microscopic issue in comparison.


If (<- Big if) properly configured, changing the addresses should be the ONLY issue when moving a site from one ISP's 
address space to another's. Perhaps I am missing some of the other challenges.

Of course, site has not yet been very clearly defined, so it could mean anything from an entire office to a single web 
site.

<snip>
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: