RE: DMZ Archtecture - Using public address space vs. usi ng Private Ad dress space and NAT

["Kalat, Andrew (ISS Atlanta)" <akalat () iss net>]

Thought I might add my 1/50th of a dollar...

This is all well and good unless you actually own portable address space.
Assuming you want to multi-home with multiple ISP's, pushing BGP out for
fail over and load balancing, then this is less of a concern.

Further, I would have to add my vote that using public IP's is a cleaner way
to go. Here's why:

1) I really don't think NAT is much of a security benefit. Don't fool
yourself. Run your firewall properly. (Please, no flames) 

2) The less private IP, the less chance of conflicting with a partner if
your tunneling, which most IPSEC VLAN's tend to do. Another consideration is
home users with client VPN's tunneling in. Same address space at home and in
the office WAN causes interesting routing issues with some VPN/Firewall
boxes.

3) NAT adds load and complexity to your firewalls.

4) Remote access becomes less flexible without more NAT rules.

5) You have different IP's from your internal and external customers of that
box possibly.

Overall, it's just not worth it if you have the public IP space, in my
opinion.

Thanks.
Andrew Kalat

-----Original Message-----
From: ruka + [mailto:ruka () my-deja com]
Sent: Thursday, August 02, 2001 11:47 AM
To: bernard_stapleton () exchange au ml com; firewall-wizards () nfr com;
firewall-wizards () nfr com
Subject: RE: [fw-wiz] DMZ Archtecture - Using public address space vs.
using Private Ad dress space and NAT


Another reason for using private address space+NAT is a possible future
migration for another ISP. It's just a matter of changing the NAT rules in
the firewall.

If using public addresses in the DMZ machines, you'll have to change config
files, scripts using IP addresses, and only devil knows what  problems can
surface. ;->

> "Stapleton, Bernard (Australia)" <bernard_stapleton () exchange au ml com>
"'firewall-wizards () nfr com'" <firewall-wizards () nfr com>Date: Thu, 2 Aug 2001
01:04:28 +0900
> Everyone,
>
> We have started an interesting conversation at work at the moment,
regarding
> whether to use public address space in our DMZs.
>
> The idea of using public address space has its pros and cons.
>
> Pro:
>
> No address conflict with connecting to external partners. They can route
> this space internally and so can you, without fear of conflict with another
> party.
> No need for address translation / simplification of management
> Ease of passing protocols that are difficult to firewall
>
> Cons
>
> Security risk if firewall host still routes if firewall software shutdown
> More complex management
>
> I was wondering if anyone on this list has anything to say about this
topic?
> I would like to know what people might be doing internally themselves, and
> why they came to that decision.
>
> Thanks
>
> Berny
>
>
>
> All opinions / arguements and anything else otherwise stated in this email
> are my own, and not of my employer.
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards




------------------------------------------------------------
--== Sent via Deja.com ==--
http://www.deja.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards