Re: [fw-wiz] Internet accessible screened subnet - use public
On Thu, 21 Jul 2005, Paul D. Robertson wrote:
> On Fri, 15 Jul 2005, Matt Bazan wrote:
>> Is there a preferred method of setting up a Internet facing screened
>> subnet and the use of public or private IP addresses? Looking at
>> redesinging our DMZ to only include public resources (www, smtp, imap,
>> ftp). Presently we use a private IP address range for this that is
>> NAT'ed at our firewall. Any reasons to change this policy to using
>> public IPs in the DMZ? Thanks,[/color]
> If you're NATing to your internal network, then a rework is necessary-
> public stuff should be on its own (preferably) physical subnet.
> IP addressing doesn't matter much, since you'll be letting stuff through
> the most likely exploit vectors anyway.[/color]
The thing I've been eharing for years about why NAT is better is that you
may change ISP's and end up with a new set of IP addresses which are
easier to change if you NAT.
this may be true (I've actually never seen anyone acutally DO this), but
you are trading one-time headaches (which I personally believe are no more
severe then all the other changes that you need to make when changing
things, firewalls, DNS, NAT tables, etc) for ongoing overhead (performance
on your NAT device, troubleshooting, bugs in the NAT implementation,
overloading of the NAT tables, etc)
I would definantly have things that server the Internet use public
addresses, once you get behind that layer and have devices that only talk
to internal stuff, then make it all private addresses.
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare
firewall-wizards mailing list