Firewall Wizards mailing list archives
RE: DMZ Archtecture - Using public address space vs. usi ng Private Ad dress space and NAT
From: "Kalat, Andrew (ISS Atlanta)" <akalat () iss net>
Date: Fri, 3 Aug 2001 10:35:45 -0400
Thought I might add my 1/50th of a dollar... This is all well and good unless you actually own portable address space. Assuming you want to multi-home with multiple ISP's, pushing BGP out for fail over and load balancing, then this is less of a concern. Further, I would have to add my vote that using public IP's is a cleaner way to go. Here's why: 1) I really don't think NAT is much of a security benefit. Don't fool yourself. Run your firewall properly. (Please, no flames) 2) The less private IP, the less chance of conflicting with a partner if your tunneling, which most IPSEC VLAN's tend to do. Another consideration is home users with client VPN's tunneling in. Same address space at home and in the office WAN causes interesting routing issues with some VPN/Firewall boxes. 3) NAT adds load and complexity to your firewalls. 4) Remote access becomes less flexible without more NAT rules. 5) You have different IP's from your internal and external customers of that box possibly. Overall, it's just not worth it if you have the public IP space, in my opinion. Thanks. Andrew Kalat -----Original Message----- From: ruka + [mailto:ruka () my-deja com] Sent: Thursday, August 02, 2001 11:47 AM To: bernard_stapleton () exchange au ml com; firewall-wizards () nfr com; firewall-wizards () nfr com Subject: RE: [fw-wiz] DMZ Archtecture - Using public address space vs. using Private Ad dress space and NAT Another reason for using private address space+NAT is a possible future migration for another ISP. It's just a matter of changing the NAT rules in the firewall. If using public addresses in the DMZ machines, you'll have to change config files, scripts using IP addresses, and only devil knows what problems can surface. ;->
"Stapleton, Bernard (Australia)" <bernard_stapleton () exchange au ml com>
"'firewall-wizards () nfr com'" <firewall-wizards () nfr com>Date: Thu, 2 Aug 2001 01:04:28 +0900
Everyone, We have started an interesting conversation at work at the moment,
regarding
whether to use public address space in our DMZs. The idea of using public address space has its pros and cons. Pro: No address conflict with connecting to external partners. They can route this space internally and so can you, without fear of conflict with another party. No need for address translation / simplification of management Ease of passing protocols that are difficult to firewall Cons Security risk if firewall host still routes if firewall software shutdown More complex management I was wondering if anyone on this list has anything to say about this
topic?
I would like to know what people might be doing internally themselves, and why they came to that decision. Thanks Berny All opinions / arguements and anything else otherwise stated in this email are my own, and not of my employer. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
------------------------------------------------------------ --== Sent via Deja.com ==-- http://www.deja.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: DMZ Archtecture - Using public address space vs. usi ng Private Ad dress space and NAT Kalat, Andrew (ISS Atlanta) (Aug 04)
- <Possible follow-ups>
- RE: DMZ Archtecture - Using public address space vs. usi ng Private Ad dress space and NAT Behm, Jeffrey L. (Aug 05)