Per olof Ljungmark writes:
Should the DMZ side be allocated a prime
Internet adress or a private? There may
be multiple answers to this question but
are there preferences?
I lean towards numbering DMZ networks with internal addresses and
translating them to external addresses. This preference isn't based upon a
security basis, but upon the flexibility that this scheme provides.
Once you have address translation in the picture there are all sorts of
tricks that you can play with the address mappings. You can do things like
temporarily changing the address mapping for a public server to a backup
server while you perform maintenance on the primary. (You could use virtual
interfaces on the public hosts to perform this, but there is more
gymnastics involved.)
If you have a limited pool of external addresses then using internal
addresses for DMZ hosts allows you to make better use of those addresses.
This is particularly important if you have multiple DMZ's and a large number
of publicly available hosts. Each DMZ will consume a minimum of 2
addresses. One for the firewall and one for the broadcast address (unless
you're using a bridging firewall.) If you've only got 16 external addresses
and 10 DMZ hosts you might be in real trouble, particularly if some of the
hosts must be isolated from others e.g. one for Customer demo machines, one
for joint development hosts, one for the corp. web site, and one for the
mail relay. Using address translation for the public hosts would allow you
to parcel these out in a manner which is not limited by the actual subnet
boundaries.
Using internal addresses for DMZ's also insulates your DMZ servers from
address changes that may be involved when you switch providers. When this
happen you only have to change the firewall external interface, external
routing, and the address translations. Once prepared the actual act can be
done about as quickly as you can change a cable. It can also be reversed
quickly. If the DMZ's are actually numbered with external addresses you'll
have to change the address of all the external hosts. This is a fairly time
consuming and error prone operation in comparison with changing the address
translation maps.
Putting the DMZ hosts on an internally addressed segment also provides a
clean break point for internal and external routing. It just makes the
whole mess a little cleaner.
- Jeff Younker - [EMAIL PROTECTED] - These are my opinions, not MDL's -
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
