[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Opinon Requested - to NAT or not to NAT DMZ Addresses
Brian/Carl, Yes, it is true that you can configure your firewall to continue routing if the firewall daemon dies (or is stopped). Best practices states that you should never do that, however. As for the "To NAT, or NOT to NAT", question IMHO, it really depends.... Personally, I like to leave my DMZs publically addressed, since the DMZ is, by definition, for publishing applications to the Internet or other non-trusted third parties. I've heard arguments the other way, but most of them were based on a very minute additional layer of "security by obscurity" (which has been proven to be an unsuccessful technique). But my counter argument was "If someone breaks in to a machine in the DMZ, who cares if the actual IP of that machine is public or private? They'd see that in either case, and be able to use that box to hop on to others..." So, the long and short of it is that privately addressing your DMZ really doesn't buy you very much, and can also add a lot of processing overhead onto the firewall. Just my $.02... HIH... Jason At 08:12 PM 11/11/00 -0600, Brian Burns wrote: > Doesn't FW1 have the option to let it control NT's IP forwarding, so >that if the FW is stopped or the services fail packets are not routed? >----- Original Message ----- From: Carl E. Mankinen To: >CryptoTech ; Brian Burns Cc: [email protected] > Sent: Saturday, November 11, 2000 4:35 PM Subject: RE: [FW1] Opinon >Requested - to NAT or not to NAT DMZ Addresses > Why would you want to use NAT on DMZ devices? If you are running >NT and you stop the firewall services (or they crash for instance), >then it will route all packets to those DMZ servers regardless of >rulebase etc. (obviously, the fw-1 service is not controlling packets >and the OS is acting as a dumb router.) If you NAT the >DMZ legs, then in the case of your firewall services failing they will > not be vulnerable. I haven't really seen any performance >problems at all. FW-1 seems amazingly efficient for what it does. > -----Original Message----- >From: [email protected] >[mailto:[email protected]]On Behalf Of >CryptoTech >Sent: Saturday, November 11, 2000 9:20 AM >To: Brian Burns >Cc: [email protected] >Subject: Re: [FW1] Opinon Requested - to NAT or not to NAT DMZ >Addresses > > If you are running 100mb or higher, you probably don't want to >use nat HTH, >CryptoTech Brian Burns wrote: I am doing a redesign >of our existing network and have been asked to use private >addressing with NAT. I am not pro/against it - but I have always >used valid addresses on my DMZ servers. So... why would one >want to use NAT on your DMZ devices? Comments? Brian > > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|