Monday, July 25, 2005

firewall-wizards digest, Vol 1 #1641 - 10 msgs

Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com

You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."

Today's Topics:

1. Re: Internet accessible screened subnet - use public orprivate
IPs? (Victor Williams)
2. Re: Internet accessible screened subnet - use public
orprivateIPs? (David Lang)
3. Re: Internet accessible screened subnet - use public orprivateIPs? (Victor Williams)
4. RE: Internet accessible screened subnet - use public or private IPs? (Sanford Reed)
5. RE: Intel vs. special purpose FW-1 servers (Ionut Boldizsar)
6. RE: Intel vs. special purpose FW-1 servers (Marcus J. Ranum)
7. Best CheckPoint on BladeFusion,Alteon,Crossbeam, etc? (Emily Conrad)
8. RE: Internet accessible screened subnet - use public orprivateIPs? (lordchariot@earthlink.net)

--__--__--

Message: 1
Date: Fri, 22 Jul 2005 19:21:06 -0500
From: Victor Williams <vbwilliams@neb.rr.com>
To: David Lang <david.lang@digitalinsight.com>
Cc: Dave Piscitello <dave@corecom.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Internet accessible screened subnet - use public orprivate
IPs?

Everyone has missed the point.

The whole issue of using NAT or not has nothing to do with work
associated with either. The whole reason NAT was implemented was
because of a very finite (and quickly running out supply, dependending
on who you ask) number of publicly routable IP addresses. Instead of
assigning every machine that wanted internet access a public IP address,
it was just more cost-effective (IP addresses cost money) to use NAT or
masquerading...whatever your lingo is...to address those hosts that only
needed outgoing access--who weren't serving content.

Whether you address your publicly accessible hosts directly with public
ip addresses or you use static NAT translations is up to the preference
of the administrator. If you have enough public IP addresses and $
isn't an object, then your preference for assigning them all public IP
addresses really doesn't make a difference. If you don't have enough
public IP addresses and you have a limited budget and have to allow many
services on the internet with less public IP addresses, then it sounds
like you'll be using NAT or PAT.

There is no clear-cut *better* way universally. Several different ways
work if you have your head screwed on straight.

My personal preference is to use private ip addresses everywhere inside
my firewall...even in my DMZ. That way I control my public IP addresses
at one point only, and that's my firewall. If for some reason I change
ISP's or my ISP wants to change my IP address range (which hasn't
happened in over 9 years), I make my IP address changes in two spots:
my firewall(s), and my DNS servers. Nothing else changes. To me, it's
simpler. Others like to be complicated...so YMMV.

David Lang wrote:
> On Fri, 22 Jul 2005, Dave Piscitello wrote:
>
>> Isn't this a question of whether you want to route or NAT?
>>
>> A server that is Internet-facing has to have (or be reachable via) a
>> public IP. If your ISP changes your block of public IP addresses, you
>> have to change:
>>
>> 1) the mapping between your private IP addresses and the new public
>> IP addresses (the static or 1:1 NAT case) or
>> 2) the IP addresses of all the servers, the IPs of the trusted and
>> external interfaces on the firewall, and the routing table (or
>> routing protocol configuration)
>>
>> (2) seems like a whole lot more work to me.
>
>
> first off, how frequently does your ISP reallocate your address range?
>
> secondly you are ignoring all the other work that you need to do when
> this change takes place. with all that in mind the difference in the
> amount of work seems a lot less.
>
> and as I said below, the trade off for simplifying this rare occurance
> of changeing your IP range comes with day-to-day costs in running NAT.
>
> David Lang
>
>>
>> On 21 Jul 2005 at 18:28, David Lang wrote:
>>
>>> On Thu, 21 Jul 2005, Paul D. Robertson wrote:
>>>
>>>> On Fri, 15 Jul 2005, Matt Bazan wrote:
>>>>
>>>>> Is there a preferred method of setting up a Internet facing
>>>>> screened subnet and the use of public or private IP addresses?
>>>>> Looking at redesinging our DMZ to only include public resources
>>>>> (www, smtp, imap, ftp). Presently we use a private IP address
>>>>> range for this that is NAT'ed at our firewall. Any reasons to
>>>>> change this policy to using public IPs in the DMZ? Thanks,
>>>>
>>>>
>>>> If you're NATing to your internal network, then a rework is
>>>> necessary- public stuff should be on its own (preferably) physical
>>>> subnet.
>>>>
>>>> IP addressing doesn't matter much, since you'll be letting stuff
>>>> through the most likely exploit vectors anyway.
>>>
>>>
>>> The thing I've been eharing for years about why NAT is better is that
>>> you may change ISP's and end up with a new set of IP addresses which
>>> are easier to change if you NAT.
>>>
>>> this may be true (I've actually never seen anyone acutally DO this),
>>> but you are trading one-time headaches (which I personally believe are
>>> no more severe then all the other changes that you need to make when
>>> changing things, firewalls, DNS, NAT tables, etc) for ongoing overhead
>>> (performance on your NAT device, troubleshooting, bugs in the NAT
>>> implementation, overloading of the NAT tables, etc)
>>>
>>> I would definantly have things that server the Internet use public
>>> addresses, once you get behind that layer and have devices that only
>>> talk to internal stuff, then make it all private addresses.
>>>
>>> David Lang
>>>
>>>
>>>
>>>
>>>
>>> --
>>> There are two ways of constructing a software design. One way is to
>>> make it so simple that there are obviously no deficiencies. And the
>>> other way is to make it so complicated that there are no obvious
>>> deficiencies.
>>> -- C.A.R. Hoare
>>> _______________________________________________
>>> firewall-wizards mailing list
>>> firewall-wizards@honor.icsalabs.com
>>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>>>
>>
>>
>>
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@honor.icsalabs.com
>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>

--__--__--

Message: 2
From: David Lang <david.lang@digitalinsight.com>
To: Victor Williams <vbwilliams@neb.rr.com>
Cc: Dave Piscitello <dave@corecom.com>,
firewall-wizards@honor.icsalabs.com
Date: Fri, 22 Jul 2005 17:26:53 -0700 (PDT)
Subject: Re: [fw-wiz] Internet accessible screened subnet - use public
orprivateIPs?

On Fri, 22 Jul 2005, Victor Williams wrote:

> Everyone has missed the point.
>
> The whole issue of using NAT or not has nothing to do with work associated
> with either. The whole reason NAT was implemented was because of a very
> finite (and quickly running out supply, dependending on who you ask) number
> of publicly routable IP addresses. Instead of assigning every machine that
> wanted internet access a public IP address, it was just more cost-effective
> (IP addresses cost money) to use NAT or masquerading...whatever your lingo
> is...to address those hosts that only needed outgoing access--who weren't
> serving content.

however, for a DMZ (the question that was asked) you are typicaly
providing service to the Internet, and for that you run into a bunch of
very interesting issues if you try to use NAT to reduce the number of IP
addresses you use.

David Lang

> Whether you address your publicly accessible hosts directly with public ip
> addresses or you use static NAT translations is up to the preference of the
> administrator. If you have enough public IP addresses and $ isn't an object,
> then your preference for assigning them all public IP addresses really
> doesn't make a difference. If you don't have enough public IP addresses and
> you have a limited budget and have to allow many services on the internet
> with less public IP addresses, then it sounds like you'll be using NAT or
> PAT.
>
> There is no clear-cut *better* way universally. Several different ways work
> if you have your head screwed on straight.
>
> My personal preference is to use private ip addresses everywhere inside my
> firewall...even in my DMZ. That way I control my public IP addresses at one
> point only, and that's my firewall. If for some reason I change ISP's or my
> ISP wants to change my IP address range (which hasn't happened in over 9
> years), I make my IP address changes in two spots: my firewall(s), and my DNS
> servers. Nothing else changes. To me, it's simpler. Others like to be
> complicated...so YMMV.
>
>
> David Lang wrote:
>> On Fri, 22 Jul 2005, Dave Piscitello wrote:
>>
>>> Isn't this a question of whether you want to route or NAT?
>>>
>>> A server that is Internet-facing has to have (or be reachable via) a
>>> public IP. If your ISP changes your block of public IP addresses, you
>>> have to change:
>>>
>>> 1) the mapping between your private IP addresses and the new public
>>> IP addresses (the static or 1:1 NAT case) or
>>> 2) the IP addresses of all the servers, the IPs of the trusted and
>>> external interfaces on the firewall, and the routing table (or
>>> routing protocol configuration)
>>>
>>> (2) seems like a whole lot more work to me.
>>
>>
>> first off, how frequently does your ISP reallocate your address range?
>>
>> secondly you are ignoring all the other work that you need to do when this
>> change takes place. with all that in mind the difference in the amount of
>> work seems a lot less.
>>
>> and as I said below, the trade off for simplifying this rare occurance of
>> changeing your IP range comes with day-to-day costs in running NAT.
>>
>> David Lang
>>
>>>
>>> On 21 Jul 2005 at 18:28, David Lang wrote:
>>>
>>>> On Thu, 21 Jul 2005, Paul D. Robertson wrote:
>>>>
>>>>> On Fri, 15 Jul 2005, Matt Bazan wrote:
>>>>>
>>>>>> Is there a preferred method of setting up a Internet facing
>>>>>> screened subnet and the use of public or private IP addresses?
>>>>>> Looking at redesinging our DMZ to only include public resources
>>>>>> (www, smtp, imap, ftp). Presently we use a private IP address
>>>>>> range for this that is NAT'ed at our firewall. Any reasons to
>>>>>> change this policy to using public IPs in the DMZ? Thanks,
>>>>>
>>>>>
>>>>> If you're NATing to your internal network, then a rework is
>>>>> necessary- public stuff should be on its own (preferably) physical
>>>>> subnet.
>>>>>
>>>>> IP addressing doesn't matter much, since you'll be letting stuff
>>>>> through the most likely exploit vectors anyway.
>>>>
>>>>
>>>> The thing I've been eharing for years about why NAT is better is that
>>>> you may change ISP's and end up with a new set of IP addresses which
>>>> are easier to change if you NAT.
>>>>
>>>> this may be true (I've actually never seen anyone acutally DO this),
>>>> but you are trading one-time headaches (which I personally believe are
>>>> no more severe then all the other changes that you need to make when
>>>> changing things, firewalls, DNS, NAT tables, etc) for ongoing overhead
>>>> (performance on your NAT device, troubleshooting, bugs in the NAT
>>>> implementation, overloading of the NAT tables, etc)
>>>>
>>>> I would definantly have things that server the Internet use public
>>>> addresses, once you get behind that layer and have devices that only
>>>> talk to internal stuff, then make it all private addresses.
>>>>
>>>> David Lang
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> There are two ways of constructing a software design. One way is to
>>>> make it so simple that there are obviously no deficiencies. And the
>>>> other way is to make it so complicated that there are no obvious
>>>> deficiencies.
>>>> -- C.A.R. Hoare
>>>> _______________________________________________
>>>> firewall-wizards mailing list
>>>> firewall-wizards@honor.icsalabs.com
>>>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> firewall-wizards mailing list
>>> firewall-wizards@honor.icsalabs.com
>>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>>>
>>
>

--
There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare

--__--__--

Message: 3
Date: Fri, 22 Jul 2005 22:33:50 -0500
From: Victor Williams <vbwilliams@neb.rr.com>
To: David Lang <david.lang@digitalinsight.com>
Cc: Dave Piscitello <dave@corecom.com>,
firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?

I've seen the interesting issues as well. But in 90+% of the networks I
deal with, I don't find those issues. It's only when myself and the
admin I'm working with has 20 services in the DMZ that needs to be
provided publicly, but their ISP has only given them a /29 subnet to use
that my head starts to hurt.

My overall point was, if you have the $ for IP addresses or already have
them, it's discretionary...it's up to you to use NAT or not. If you
don't have the IP addresses to spare, then sometimes you have to get
creative. I guess I didn't see the issue as more/less work, or
routing/not routing if you knew what you were doing...it just becomes
preference of implementation at that point.

> however, for a DMZ (the question that was asked) you are typicaly
> providing service to the Internet, and for that you run into a bunch of
> very interesting issues if you try to use NAT to reduce the number of IP
> addresses you use.
>
> David Lang

--__--__--

Message: 4
Reply-To: <sanford.reed@reed-assoc-llc.com>
From: "Sanford Reed" <sanford.reed@cox.net>
To: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Internet accessible screened subnet - use public or private IPs?
Date: Sat, 23 Jul 2005 18:58:50 -0400
Organization: Reed & Associuates, LLC

I've had to change Public address schemes on two occasions. Both were caused
by the customer changing ISP Vendors. I 'only' had to ensure changes were
made in two locations.
Yes, by using 'Private' address schemes on both the Internal and the DMZ I
had to 'build' and maintain two sets of access rules but setting them up
wasn't very difficult. They just took a little planning and thought before
deployment.

1. The Firewall - Using NAT'ed addresses made fairly simple even with a
'Private Addressed DMZ' for 'Public' services as you only had to change the
NAT Table in one location. Rules between the Internal and the DMZ didn't
change because nothing needed to change on those interfaces. Neither took
more than two hours total to 'reset' the NAT tables.

2. DNS - This is where most of the problems lay. Due to the time (3 to 5
days) needed for DNS changes to propagate you could have some connectivity
issues unless you can 'mirror' the Public services onto both address subnets
for a short period.

Sanford Reed
(V) 757.406.7067
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of David Lang
Sent: Friday, July 22, 2005 1:54 PM
To: Dave Piscitello
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Internet accessible screened subnet - use public
orprivate IPs?

On Fri, 22 Jul 2005, Dave Piscitello wrote:

> Isn't this a question of whether you want to route or NAT?
>
> A server that is Internet-facing has to have (or be reachable via) a
> public IP. If your ISP changes your block of public IP addresses, you
> have to change:
>
> 1) the mapping between your private IP addresses and the new public
> IP addresses (the static or 1:1 NAT case) or
> 2) the IP addresses of all the servers, the IPs of the trusted and
> external interfaces on the firewall, and the routing table (or
> routing protocol configuration)
>
> (2) seems like a whole lot more work to me.

first off, how frequently does your ISP reallocate your address range?

secondly you are ignoring all the other work that you need to do when this
change takes place. with all that in mind the difference in the amount of
work seems a lot less.

and as I said below, the trade off for simplifying this rare occurance of
changeing your IP range comes with day-to-day costs in running NAT.

David Lang

>
> On 21 Jul 2005 at 18:28, David Lang wrote:
>
>> On Thu, 21 Jul 2005, Paul D. Robertson wrote:
>>
>>> On Fri, 15 Jul 2005, Matt Bazan wrote:
>>>
>>>> Is there a preferred method of setting up a Internet facing
>>>> screened subnet and the use of public or private IP addresses?
>>>> Looking at redesinging our DMZ to only include public resources
>>>> (www, smtp, imap, ftp). Presently we use a private IP address
>>>> range for this that is NAT'ed at our firewall. Any reasons to
>>>> change this policy to using public IPs in the DMZ? Thanks,
>>>
>>> If you're NATing to your internal network, then a rework is
>>> necessary- public stuff should be on its own (preferably) physical
>>> subnet.
>>>
>>> IP addressing doesn't matter much, since you'll be letting stuff
>>> through the most likely exploit vectors anyway.
>>
>> The thing I've been eharing for years about why NAT is better is that
>> you may change ISP's and end up with a new set of IP addresses which
>> are easier to change if you NAT.
>>
>> this may be true (I've actually never seen anyone acutally DO this),
>> but you are trading one-time headaches (which I personally believe are
>> no more severe then all the other changes that you need to make when
>> changing things, firewalls, DNS, NAT tables, etc) for ongoing overhead
>> (performance on your NAT device, troubleshooting, bugs in the NAT
>> implementation, overloading of the NAT tables, etc)
>>
>> I would definantly have things that server the Internet use public
>> addresses, once you get behind that layer and have devices that only
>> talk to internal stuff, then make it all private addresses.
>>
>> David Lang
>>
>>
>>
>>
>>
>> --
>> There are two ways of constructing a software design. One way is to
>> make it so simple that there are obviously no deficiencies. And the
>> other way is to make it so complicated that there are no obvious
>> deficiencies.
>> -- C.A.R. Hoare
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@honor.icsalabs.com
>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

--
There are two ways of constructing a software design. One way is to make it
so simple that there are obviously no deficiencies. And the other way is to
make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

--__--__--

Message: 5
Subject: RE: [fw-wiz] Intel vs. special purpose FW-1 servers
Date: Sun, 24 Jul 2005 23:28:22 +0300
From: "Ionut Boldizsar" <ionut@provision.ro>
To: "Marcus J. Ranum" <mjr@ranum.com>
Cc: <firewall-wizards@honor.icsalabs.com>

> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com=20
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf=20
> Of Marcus J. Ranum
> Sent: Friday, July 22, 2005 6:06 AM
> To: David Lang; Emily Conrad
> Cc: firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] Intel vs. special purpose FW-1 servers
>=20
=20
> With technology today I recommend (in general) never buying=20
> maintenance and expecting to turn a product over ever year or=20
> 2 - or keep it indefinitely as long as it works. I tend to do=20
> scorched-earth hard disk upgrades every
> 2 years (yay, digital photography) but I am still using=20
> Office '95 and it runs just great on my 2Ghz machine.
>=20
> So, yes, think about the future - but think about it from the=20
> standpoint of "most of this stuff DOESN'T HAVE A FUTURE."
>=20
> mjr.=20

This is all great, but I hope you are mainly referring to hardware
equipments and office suites, otherwise you just put 80 % of us out of
business (both vendors and practitioners) :)
I somehow believe that security related software should be
update/maintained as much as possible. Mainly because anyhow this is all
reactive, thus two-steps behind the real threat.
You might be using Office 95, and do a great job with it, but I doubt
you're still using a '95 antivirus on that PC, right? :)

And still, your last phrase is pure truth: most of this stuff really has
no future.

//ionut

--__--__--

Message: 6
Date: Sun, 24 Jul 2005 19:53:23 -0400
To: "Ionut Boldizsar" <ionut@provision.ro>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: RE: [fw-wiz] Intel vs. special purpose FW-1 servers
Cc: <firewall-wizards@honor.icsalabs.com>

Ionut Boldizsar wrote:
>I somehow believe that security related software should be
>update/maintained as much as possible.

I think the industry places entirely the wrong emphasis on updating
and patching software. I believe that security related software
should never need patching or updating. If you're exposing software
to the Internet and you know it's such a buggy wad of tripe that it
needs a patch once a month - you're using the wrong software and
you need to re-assess your overall system design.

mjr.

--__--__--

Message: 7
From: "Emily Conrad" <emilydconrad@hotmail.com>
To: firewall-wizards@honor.icsalabs.com
Date: Sun, 24 Jul 2005 19:38:08 +0000
Subject: [fw-wiz] Best CheckPoint on BladeFusion,Alteon,Crossbeam, etc?

Hi,

Does anyone know of a review that analyses where CheckPoint runs best, on
platforms such as BladeFusion, Alteon, Crossbeam Systems, etc.?

thanks,

Emily

_________________________________________________________________
Don�t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

--__--__--

Message: 8
From: <lordchariot@earthlink.net>
To: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?
Date: Mon, 25 Jul 2005 20:12:58 -0400

What about when IPv6 becomes predominant on the net?
Am I mistaken that there doesn't seem to be any concept of NAT in the IPv6
specs?
I could be wrong, but thought I found that somewhere?

Erik

> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> Of David Lang
> Sent: Friday, July 22, 2005 8:27 PM
> To: Victor Williams
> Cc: Dave Piscitello; firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] Internet accessible screened subnet -
> use public orprivateIPs?
>
> On Fri, 22 Jul 2005, Victor Williams wrote:
>
> > Everyone has missed the point.
> >
> > The whole issue of using NAT or not has nothing to do with
> work associated
> > with either. The whole reason NAT was implemented was
> because of a very
> > finite (and quickly running out supply, dependending on who
> you ask) number
> > of publicly routable IP addresses. Instead of assigning
> every machine that
> > wanted internet access a public IP address, it was just
> more cost-effective
> > (IP addresses cost money) to use NAT or
> masquerading...whatever your lingo
> > is...to address those hosts that only needed outgoing
> access--who weren't
> > serving content.
>
> however, for a DMZ (the question that was asked) you are typicaly
> providing service to the Internet, and for that you run into
> a bunch of
> very interesting issues if you try to use NAT to reduce the
> number of IP
> addresses you use.
>
> David Lang
>
> > Whether you address your publicly accessible hosts directly
> with public ip
> > addresses or you use static NAT translations is up to the
> preference of the
> > administrator. If you have enough public IP addresses and
> $ isn't an object,
> > then your preference for assigning them all public IP
> addresses really
> > doesn't make a difference. If you don't have enough public
> IP addresses and
> > you have a limited budget and have to allow many services
> on the internet
> > with less public IP addresses, then it sounds like you'll
> be using NAT or
> > PAT.
> >
> > There is no clear-cut *better* way universally. Several
> different ways work
> > if you have your head screwed on straight.
> >
> > My personal preference is to use private ip addresses
> everywhere inside my
> > firewall...even in my DMZ. That way I control my public IP
> addresses at one
> > point only, and that's my firewall. If for some reason I
> change ISP's or my
> > ISP wants to change my IP address range (which hasn't
> happened in over 9
> > years), I make my IP address changes in two spots: my
> firewall(s), and my DNS
> > servers. Nothing else changes. To me, it's simpler.
> Others like to be
> > complicated...so YMMV.
> >
> >
> > David Lang wrote:
> >> On Fri, 22 Jul 2005, Dave Piscitello wrote:
> >>
> >>> Isn't this a question of whether you want to route or NAT?
> >>>
> >>> A server that is Internet-facing has to have (or be
> reachable via) a
> >>> public IP. If your ISP changes your block of public IP
> addresses, you
> >>> have to change:
> >>>
> >>> 1) the mapping between your private IP addresses and the
> new public
> >>> IP addresses (the static or 1:1 NAT case) or
> >>> 2) the IP addresses of all the servers, the IPs of the trusted and
> >>> external interfaces on the firewall, and the routing table (or
> >>> routing protocol configuration)
> >>>
> >>> (2) seems like a whole lot more work to me.
> >>
> >>
> >> first off, how frequently does your ISP reallocate your
> address range?
> >>
> >> secondly you are ignoring all the other work that you need
> to do when this
> >> change takes place. with all that in mind the difference
> in the amount of
> >> work seems a lot less.
> >>
> >> and as I said below, the trade off for simplifying this
> rare occurance of
> >> changeing your IP range comes with day-to-day costs in running NAT.
> >>
> >> David Lang
> >>
> >>>
> >>> On 21 Jul 2005 at 18:28, David Lang wrote:
> >>>
> >>>> On Thu, 21 Jul 2005, Paul D. Robertson wrote:
> >>>>
> >>>>> On Fri, 15 Jul 2005, Matt Bazan wrote:
> >>>>>
> >>>>>> Is there a preferred method of setting up a Internet facing
> >>>>>> screened subnet and the use of public or private IP addresses?
> >>>>>> Looking at redesinging our DMZ to only include public resources
> >>>>>> (www, smtp, imap, ftp). Presently we use a private IP address
> >>>>>> range for this that is NAT'ed at our firewall. Any reasons to
> >>>>>> change this policy to using public IPs in the DMZ? Thanks,
> >>>>>
> >>>>>
> >>>>> If you're NATing to your internal network, then a rework is
> >>>>> necessary- public stuff should be on its own
> (preferably) physical
> >>>>> subnet.
> >>>>>
> >>>>> IP addressing doesn't matter much, since you'll be letting stuff
> >>>>> through the most likely exploit vectors anyway.
> >>>>
> >>>>
> >>>> The thing I've been eharing for years about why NAT is
> better is that
> >>>> you may change ISP's and end up with a new set of IP
> addresses which
> >>>> are easier to change if you NAT.
> >>>>
> >>>> this may be true (I've actually never seen anyone
> acutally DO this),
> >>>> but you are trading one-time headaches (which I
> personally believe are
> >>>> no more severe then all the other changes that you need
> to make when
> >>>> changing things, firewalls, DNS, NAT tables, etc) for
> ongoing overhead
> >>>> (performance on your NAT device, troubleshooting, bugs in the NAT
> >>>> implementation, overloading of the NAT tables, etc)
> >>>>
> >>>> I would definantly have things that server the Internet
> use public
> >>>> addresses, once you get behind that layer and have
> devices that only
> >>>> talk to internal stuff, then make it all private addresses.
> >>>>
> >>>> David Lang
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> There are two ways of constructing a software design.
> One way is to
> >>>> make it so simple that there are obviously no
> deficiencies. And the
> >>>> other way is to make it so complicated that there are no obvious
> >>>> deficiencies.
> >>>> -- C.A.R. Hoare
> >>>> _______________________________________________
> >>>> firewall-wizards mailing list
> >>>> firewall-wizards@honor.icsalabs.com
> >>>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >>>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> firewall-wizards mailing list
> >>> firewall-wizards@honor.icsalabs.com
> >>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >>>
> >>
> >
>
> --
> There are two ways of constructing a software design. One way
> is to make it so simple that there are obviously no
> deficiencies. And the other way is to make it so complicated
> that there are no obvious deficiencies.
> -- C.A.R. Hoare
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

--__--__--

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

End of firewall-wizards Digest

No comments:

Post a Comment