I've got a PIX firewall with three NICs, one for the Internet, DMZ, and
internal network. In my DMZ I'm trying to figure out whether or not I
should use valid public IPs or use private IPs and then NAT. The pros and
cons that I've been able to come up with in my head don't seem very
significant (i.e., going either way seem almost equally as good as I'm not
short on valid public IPs).
So I turn to the collective knowledge of the mailing list for arguments
supporting and against using public addresses or private addresses in my
DMZ. After searching the archives of this mailing list, it seems people
reasons for one approach or the other may be more religious than technical,
so I hope I don't spark off a holy war here. :)
Below are my two lists of pros and cons. The 2nd list addresses whether or
not I internally advertise my DMZ hosts as having public or private
addresses. This is separate issue from what kind of IPs they actually have,
since with the PIX I can NAT between the DMZ and the Internet, internal net,
or even both.
Note: My internal network uses private addresses.
Disclaimer: I speak in PIX terms, since that's what I'm using. The
concepts here should be applicable to any firewall though.
[Should I use private IPs in my DMZ and then NAT?]
-NAT Pros
-Can have more hosts in the DMZ
-If, for some reason, we put a host in the DMZ that we didn't want
publicly accessible, it'd be a little harder to get at it.
-NAT Cons
-NAT could take a slight performance hit re-writing the packets
-Not all protocols are NATable
-Not an issue in the foreseeable future, as currently SMTP and HTTP is
the only traffic I see going to the DMZ.
-A little simpler to admin if you're not NATed.
-If you assign the web server ip 113.13.13.13, then by jove that's
what's its address is to everyone (i.e. you don't hafta set up a NAT).
-It just seems "cleaner" to use a public IP.
[Advertise DMZ hosts as private or public addresses internally?]
-Private pros
-Routing tables would be simpler (i.e., wouldn't need to add a public
113.13.13.0 route to all of our remote routers and/or PIXes).
-Actually we'd probably set up routes for all of our company's public
IP's anyway, so this is really a non-issue.
-No risk of a VPN client's private traffic trying to go un-encrypted over
the Internet.
-If you use a public IP, and the VPN client's route to the public IP
isn't over the VPN, then the traffic could potentially go over the Internet
in cleartext. If you used private IPs, then even if you don't have a VPN
session up the traffic isn't going anywhere, as private addresses aren't
routable. Note that this cleartext traffic would be blocked at the firewall
anyway.
-Private cons
-Must maintain two separate DNS's (split DNS) for the outside (public)
and inside (private) worlds.
-Not actually an issue for us, as we're doing this already.
-If the DMZ hosts actually have real IPs, then advertising private IPs
would force us to do NAT.
-NAT could take a slight performance hit re-writing the packets
-Not all protocols are NATable
-Is SSH NATable?
-NAT would add another couple lines to the PIX config (not a big
deal).
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
