Right now there is only NAT running the router. Is there any security drop from not enabling NAT on the firewall and leaving the router as is?
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fretz Sent: Thursday, May 20, 2004 1:56 PM To: Exchange Discussions Subject: RE: Off-Topic Firewall Question For starters, if you plan on using the Firewall as a primary protection device (hiding behind NAT), you should at least change the subnetwork between the Firewall and DSL Modem so it is not possible for users to have 2 points of Egress from your network. You can use a subnet in the 172.16.x.x or 10.x.x.x networks. Leaving NAT enabled on the DSL modem doesn't provide any loss of security, but it does make things a heckuva lot harder to debug if something goes wrong. Not to mention, some interactive services like PPTP, H323, SIP, etc...are sketchy enough going through one NAT device... Who knows what will happen with two screeners in the mix. Your best bet is to disable NAT and DHCP on the DSL Modem and rely on the firewall for your security. The only caveat is if your firewall is listening on any ports on public-facing interfaces. Sonicwall is a pretty solid product and you can lock it down as tight as you want to (e.g. No open ports on public interfaces...). If you have your heart set on running double NAT, at least disable DHCP on the modem so your internal hosts are only getting IP addresses from on source, and then see if you can lock down the modem so it only accepts internal traffic from the outside IP address of the Firewall. Example: [192.168.0.2/255.255.255.254] <--> [192.168.0.1/255.255.255.254] Where 192.168.0.2 is the outside of your firewall and ...0.1 is the inside of your DSL modem. Eric Fretz L-3 Communications ComCept Division 2800 Discovery Blvd. Rockwall, TX 75032 tel: 972.772.7501 fax: 972.772.7510 -----Original Message----- From: Phillip Stafford [mailto:[EMAIL PROTECTED] Sent: Thursday, May 20, 2004 12:44 PM To: Exchange Discussions Subject: Off-Topic Firewall Question I apologize for this being off-topic... at one of our clients, we have a DSL modem that is currently providing NAT to the computers. This device has an internal IP of 192.168.0.xx. We have this modem running to a Sonicwall SOHO firewall device that is not assigned an external address. It also has an internal at 192.168.0.xx. This then plugs into the switches. Is there any loss of security by permitting the DSL modem to be providing NAT and thus having both an internal and external IP versus having the firewall providing this? I know the clients communicate through the wiring that goes from the switch to the firewall and then to the router...but does this still filter the packets and protect them in the same way? It's strange because I can have the clients point to either the firewall or the Router's internal IP as the gateway and they can get out either way. Thanks for any help. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe send a blank email to %%email.unsub%% Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe send a blank email to %%email.unsub%% Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
