Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Internet accessible screened subnet - use public orprivate IPs?

From: "Dave Piscitello" <dave () corecom com>
Date: Fri, 22 Jul 2005 09:33:23 -0400
Isn't this a question of whether you want to route or NAT?

A server that is Internet-facing has to have (or be reachable via) a 
public IP. If your ISP changes your block of public IP addresses, you 
have to change:

1) the mapping between your private IP addresses and the new public 
IP addresses (the static or 1:1 NAT case) or
2) the IP addresses of all the servers, the IPs of the trusted and 
external interfaces on the firewall, and the routing table (or 
routing protocol configuration)

(2) seems like a whole lot more work to me.


On 21 Jul 2005 at 18:28, David Lang wrote:


On Thu, 21 Jul 2005, Paul D. Robertson wrote:


On Fri, 15 Jul 2005, Matt Bazan wrote:


Is there a preferred method of setting up a Internet facing
screened subnet and the use of public or private IP addresses? 
Looking at redesinging our DMZ to only include public resources
(www, smtp, imap, ftp).  Presently we use a private IP address
range for this that is NAT'ed at our firewall.  Any reasons to
change this policy to using public IPs in the DMZ?  Thanks,


If you're NATing to your internal network, then a rework is
necessary- public stuff should be on its own (preferably) physical
subnet.

IP addressing doesn't matter much, since you'll be letting stuff
through the most likely exploit vectors anyway.


The thing I've been eharing for years about why NAT is better is that
you may change ISP's and end up with a new set of IP addresses which
are easier to change if you NAT.

this may be true (I've actually never seen anyone acutally DO this),
but you are trading one-time headaches (which I personally believe are
no more severe then all the other changes that you need to make when
changing things, firewalls, DNS, NAT tables, etc) for ongoing overhead
(performance on your NAT device, troubleshooting, bugs in the NAT
implementation, overloading of the NAT tables, etc)

I would definantly have things that server the Internet use public
addresses, once you get behind that layer and have devices that only
talk to internal stuff, then make it all private addresses.

David Lang





-- 
There are two ways of constructing a software design. One way is to
make it so simple that there are obviously no deficiencies. And the
other way is to make it so complicated that there are no obvious
deficiencies.
  -- C.A.R. Hoare
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards





_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: