Option one is the one I use most. Both my DMZ and my secure nets are using
private addresses and I NAT to the DMZ and to the Internal if need be (not
always the case).
Jean.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Art Coble
> Sent: Friday, November 19, 1999 11:58 PM
> To: Magowan, Richard M. (ITS); '[EMAIL PROTECTED]'
> Subject: Re: Some DMZ construction Questions
>
>
> Maybe I am tired, but I don't see any reason to go for option 2.
> In my experience option 1 is a best practice. Your Internet
> accessible servers are clearly segregated from your internal
> network. You have a secured DMZ subnet.
> You can do a many to one NAT for your internal networks
> using an address from the external subnet, add
> the corresponding static routes to from IF3 to
> the internal network and you are good to go.
> Don't forget a rule to allow the internal nets to the DMZ.
>
> -Art
>
>
> At 02:12 PM 11/19/99 -0500, Magowan, Richard M. (ITS) wrote:
> >I am installing a new ISP service via UUNET and their managed
> Checkpoint FW.
> >I am trained in the use of FW1 (Unix) so I sort of understand
> how the thing
> >works. My question has to do with the options available to
> construct my DMZ.
> >
> >
> >Option 1. I want a three legged FW, IF1 to the ISP Router, IF2
> to the DMZ,
> >IF3 to my inside network. My plan was to build the new web farm (which is
> >supposed to be Internet accessible) on the DMZ off IF2, use real legal
> >addresses as provided by UUNET and just have DNS entries made as the
> >machines are installed with the appropriate rules base entries to allow
> >access.
> >
> >Option 2. The other option suggested to me is the build a
> "private DMZ" off
> >IF3, use FW rules and NAT to provide access to the web farm and
> use just one
> >"Real" interface to the Internet via IF1.
> >
> >For the sake of what I think is simplicity, I want to go with
> option 1 but I
> >admit to not being any kind of expert as far as build Internet accessible
> >networks. I lean to Option 1 because there won't be so many rules and NAT
> >things needed in the FW and since this is a managed service (not
> my choice
> >but...) I feel not having to request FW changes every time I
> want to add a
> >host will allow me to more rapidly respond to user request to
> get machines
> >up an running on the Internet.
> >
> >Is there any "best practices" type things for DMZ construction ?
> Are there
> >any strong opinions one way or the other on the option1, option
> 2 business
> >suggested here? Any opinions greatly appreciated. Thanks.
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
> >
>
> ===========================================
> Art Coble
> Lucent - Netcare Professional Services
> Senior Network Consultant
> Email: [EMAIL PROTECTED]
> Page: 800 INS 1 INS
> =============================================
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
