Firewall Wizards mailing list archives
Re: DMZ Archtecture - Using public address space vs. using Private Ad dress space and NAT
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Thu, 2 Aug 2001 18:15:57 +0200 (CEST)
Bernard Stapleton wrote:
Pro: No address conflict with connecting to external partners. They can route this space internally and so can you, without fear of conflict with another party. No need for address translation / simplification of management Ease of passing protocols that are difficult to firewall Cons Security risk if firewall host still routes if firewall software shutdown More complex management I was wondering if anyone on this list has anything to say about this topic? I would like to know what people might be doing internally themselves, and why they came to that decision.
I'm using RFC 1918 addresses wherever possible for the reason already given by you for "Cons". If I'm using private address space then direct attacks at my servers through some routing hole are impossible. I explicitly proxy incoming connections port by port from alias interfaces on the firewall outside to the service on a host in the DMZ. Don't want to do too much Gauntlet advertising here, but with "force source address of originating host" enabled Gauntlet relies strictly on proxies for incoming connections, yet for all DMZ hosts the connections look like they're coming from the Internet - think of web server statistics the marketing types love so much. ;-) If there are no outgoing connections allowed/no proxies active for the DMZ hosts, then attacks like code red might infect an improperly maintained IIS, but the worm will never make it past that system. So for me there is no reason to ever use official addresses unless ... ... you need protocols that don't work this way. IPSec comes to mind, but then that is considered a feature rather than a shortcoming. AH guarantees that nobody, no NAT gateway and no proxy, changed anything in the header. So either make your firewall your IPsec gateway or use multiple DMZs. Another protocol that I really consider braindamaged by design at times when firewalls are all over the place is H.323. So for H.323 gateways a DMZ with official addresses is necessary. My .02 Euro ;-) Patrick -- --- WEB ISS GmbH - Scheffelstr. 17a - 76135 Karlsruhe - 0721/9109-0 --- ------ Patrick M. Hausen - Technical Director - hausen () punkt de ------- "Two men say, they're Jesus - one of 'em must be wrong." (Dire Straits) _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- DMZ Archtecture - Using public address space vs. using Private Ad dress space and NAT Stapleton, Bernard (Australia) (Aug 02)
- Re: DMZ Archtecture - Using public address space vs. using Private Ad dress space and NAT Patrick M. Hausen (Aug 02)
- Re: DMZ Archtecture - Using public address space vs. using Private Ad dress space and NAT m p (Aug 04)
- <Possible follow-ups>
- Re: DMZ Archtecture - Using public address space vs. using Private Ad dress space and NAT Chris St. Clair (Aug 04)