----- Original Message -----
Sent: Saturday, November 11, 2000 4:35
PM
Subject: RE: [FW1] Opinon Requested - to
NAT or not to NAT DMZ Addresses
Why
would you want to use NAT on DMZ devices?
If
you are running NT and you stop the firewall services (or they crash for
instance),
then
it will route all packets to those DMZ servers regardless of rulebase
etc.
(obviously, the fw-1 service is not controlling packets and the OS is
acting as a
dumb
router.)
If
you NAT the DMZ legs, then in the case of your firewall services failing
they
will
not be vulnerable.
I
haven't really seen any performance problems at all.
FW-1
seems amazingly efficient for what it does.
Speed. Firewall load.
Latency. NAT modifies every packet involved in the rule, and thus add
latency. If you are running 100mb or higher, you probably don't want
to use nat
HTH,
CryptoTech
Brian Burns wrote:
I am doing a redesign of our existing
network and have been asked to use private addressing with NAT. I am not
pro/against it - but I have always used valid addresses on my DMZ
servers. So... why would
one want to use NAT on your DMZ devices? Comments? Brian