Firewall Wizards mailing list archives
RE: DMZ Archtecture - Using public address space vs. using Private Ad dress space and NAT
From: "Benjamin P. Grubin" <bgrubin () pobox com>
Date: Fri, 3 Aug 2001 16:27:03 -0400
IMHO, this is not a particularly strong reason to make a high-impact architectural decision like RFC1918 and NAT. Major upheavals like moving a site from one ISP's address space to another is a big challenge for many reasons, changing the addresses should be a microscopic issue in comparison. The design issue is to ensure that all scripts, configuration files, and things like web referrals and URLs all use symbolic addresses. Hardcoding IP's is a real problem, and it'll bite you at some point no matter what address space you use. The IP's that must be hard-coded should be very carefully tracked, change controlled, and kept to an absolute minimum. Hardware expansion, disaster recovery, load balancing, site moves and minor architectural changes can all be made hell by hardcoding IP's everywhere. Just my $.02 Cheers, Ben
-----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com] On Behalf Of ruka + Sent: Thursday, August 02, 2001 11:47 AM To: bernard_stapleton () exchange au ml com; firewall-wizards () nfr com; 'firewall-wizards () nfr com Subject: RE: [fw-wiz] DMZ Archtecture - Using public address space vs. using Private Ad dress space and NAT Another reason for using private address space+NAT is a possible future migration for another ISP. It's just a matter of changing the NAT rules in the firewall. If using public addresses in the DMZ machines, you'll have to change config files, scripts using IP addresses, and only devil knows what problems can surface. ;->"Stapleton, Bernard (Australia)" <bernard_stapleton () exchange au ml com> "'firewall-wizards () nfr com'" <firewall-wizards () nfr com>Date: Thu, 2 Aug 2001 01:04:28 +0900 Everyone, We have started an interesting conversation at work at the moment, regarding whether to use public address space in our DMZs. The idea of using public address space has its pros and cons. Pro: No address conflict with connecting to external partners. They can route this space internally and so can you, without fear of conflict with another party. No need for address translation /simplification ofmanagement Ease of passing protocols that are difficult to firewall Cons Security risk if firewall host still routes if firewall software shutdown More complex management I was wondering if anyone on this list has anything to sayabout thistopic? I would like to know what people might be doing internally themselves, and why they came to that decision. Thanks Berny All opinions / arguements and anything else otherwise stated in this email are my own, and not of my employer. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards------------------------------------------------------------ --== Sent via Deja.com ==-- http://www.deja.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-> wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: DMZ Archtecture - Using public address space vs. using Private Ad dress space and NAT ruka + (Aug 02)
- RE: DMZ Archtecture - Using public address space vs. using Private Ad dress space and NAT Benjamin P. Grubin (Aug 04)