[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] DMZ setup

To: [email protected]
Subject: Re: [FW-1] DMZ setup
From: Shawn Behrens <[email protected]>
Date: Fri, 25 Oct 2002 12:22:32 -0400
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

> Answer:
> Again, it is slightly less secure, only because the public
> addresses are accessible from the internet, where as private
> ip's are not. (that's why you have to NAT them....).
> A good rulebase will still provide the protection you need.

I contest that. The notion that NAT is more secure is a myth.

>only because the public addresses are accessible from the internet

Through the firewall. Just as a NAT address is accessible through the
firewall.

If you have an Any DMZ-Servers-Grp Any Allow rule, that will expose you
every time, with or without NAT. If you have an Any DMZ-Servers-grp http
Allow rule, that will protect you a little, with or without NAT.

Say the firewall unloads its rulebase, as part of maintenance for example.

With NAT: No connection to DMZ, because rulebase is down, which does NAT
Without NAT: No connection to DMZ, because IP Forwarding is switched off
when rulebase is unloaded


Show me a specific case where public addresses are less secure than NAT,
assuming the same security rulebase in both cases of course, and I'll be
willing to reconsider.

Cheers
Shawn


Please note that:

1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices.
3. The contents of this email are those of the individual and do not necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations are subject to contract.
5. The company accepts no responsibility once an e-mail and any attachments is sent.

http://www.activis.com

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Securemote IKE
Next by Date: [FW-1] NG FP3
Prev by thread: Re: [FW-1] DMZ setup
Next by thread: Re: [FW-1] DMZ setup
Index(es):
- Date
- Thread