Firewall Wizards mailing list archives
RE: Internet accessible screened subnet - use public or private IPs?
From: "Sanford Reed" <sanford.reed () cox net>
Date: Sat, 23 Jul 2005 18:58:50 -0400
I've had to change Public address schemes on two occasions. Both were caused by the customer changing ISP Vendors. I 'only' had to ensure changes were made in two locations. Yes, by using 'Private' address schemes on both the Internal and the DMZ I had to 'build' and maintain two sets of access rules but setting them up wasn't very difficult. They just took a little planning and thought before deployment. 1. The Firewall - Using NAT'ed addresses made fairly simple even with a 'Private Addressed DMZ' for 'Public' services as you only had to change the NAT Table in one location. Rules between the Internal and the DMZ didn't change because nothing needed to change on those interfaces. Neither took more than two hours total to 'reset' the NAT tables. 2. DNS - This is where most of the problems lay. Due to the time (3 to 5 days) needed for DNS changes to propagate you could have some connectivity issues unless you can 'mirror' the Public services onto both address subnets for a short period. Sanford Reed (V) 757.406.7067 -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of David Lang Sent: Friday, July 22, 2005 1:54 PM To: Dave Piscitello Cc: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs? On Fri, 22 Jul 2005, Dave Piscitello wrote:
Isn't this a question of whether you want to route or NAT? A server that is Internet-facing has to have (or be reachable via) a public IP. If your ISP changes your block of public IP addresses, you have to change: 1) the mapping between your private IP addresses and the new public IP addresses (the static or 1:1 NAT case) or 2) the IP addresses of all the servers, the IPs of the trusted and external interfaces on the firewall, and the routing table (or routing protocol configuration) (2) seems like a whole lot more work to me.
first off, how frequently does your ISP reallocate your address range? secondly you are ignoring all the other work that you need to do when this change takes place. with all that in mind the difference in the amount of work seems a lot less. and as I said below, the trade off for simplifying this rare occurance of changeing your IP range comes with day-to-day costs in running NAT. David Lang
On 21 Jul 2005 at 18:28, David Lang wrote:On Thu, 21 Jul 2005, Paul D. Robertson wrote:On Fri, 15 Jul 2005, Matt Bazan wrote:Is there a preferred method of setting up a Internet facing screened subnet and the use of public or private IP addresses? Looking at redesinging our DMZ to only include public resources (www, smtp, imap, ftp). Presently we use a private IP address range for this that is NAT'ed at our firewall. Any reasons to change this policy to using public IPs in the DMZ? Thanks,If you're NATing to your internal network, then a rework is necessary- public stuff should be on its own (preferably) physical subnet. IP addressing doesn't matter much, since you'll be letting stuff through the most likely exploit vectors anyway.The thing I've been eharing for years about why NAT is better is that you may change ISP's and end up with a new set of IP addresses which are easier to change if you NAT. this may be true (I've actually never seen anyone acutally DO this), but you are trading one-time headaches (which I personally believe are no more severe then all the other changes that you need to make when changing things, firewalls, DNS, NAT tables, etc) for ongoing overhead (performance on your NAT device, troubleshooting, bugs in the NAT implementation, overloading of the NAT tables, etc) I would definantly have things that server the Internet use public addresses, once you get behind that layer and have devices that only talk to internal stuff, then make it all private addresses. David Lang -- There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. -- C.A.R. Hoare _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. -- C.A.R. Hoare _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Internet accessible screened subnet - use public orprivate IPs?, (continued)
- Re: Internet accessible screened subnet - use public orprivate IPs? Victor Williams (Jul 25)
- Re: Internet accessible screened subnet - use public orprivateIPs? David Lang (Jul 25)
- Re: Internet accessible screened subnet - use public orprivateIPs? Victor Williams (Jul 25)
- RE: Internet accessible screened subnet - use public orprivateIPs? lordchariot (Jul 25)
- RE: Internet accessible screened subnet - use public orprivateIPs? Marcus J. Ranum (Jul 26)
- RE: Internet accessible screened subnet - use public orprivateIPs? R. DuFresne (Jul 27)
- RE: Internet accessible screened subnet - use public orprivateIPs? Luis Bruno (Jul 30)
- RE: Internet accessible screened subnet - use public orprivateIPs? Paul D. Robertson (Jul 30)
- Re: Internet accessible screened subnet - use public orprivateIPs? Dale W. Carder (Jul 30)
- Re: Internet accessible screened subnet - use public orprivate IPs? Marcus J. Ranum (Jul 26)
- RE: Internet accessible screened subnet - use public or private IPs? Sanford Reed (Jul 25)