I have a couple of questions for general comment regarding DMZ
configurations. The following are some parameters which form the basis for
the queries:
a) The machines on the DMZ(s) are a mixture, but predominately are
WinNT/Win2000
b) The administrators for the machines require the ability to connect via
RPC (netbios over TCP/IP)
c) Checkpoint NAT fails occasionally.
My current configuration employs a firewall with 3 NIC's. The first being
external, the second being internal and the third connecting to the DMZ
network. At present, the DMZ network is using a 192.168 address and uses NAT
and proxy arp on the firewall. In effect this is a hidden network.
The problem with this configuration is that in order for the RPC connection
to work the WinNT machines must register with their WINS servers (inside).
Due to a Microsoft oversight, they must use their real IP address rather
than the NAT'ed address. So we have had to set up internal routing tables to
provide access to the "real" IP address outbound through the firewall.
Further, we have had to set up access from the DMZ to the WINS server so
that the address can be registered. This is probably the biggest security
hole. In effect, each machine, therefore, has two IP addresses; and internal
one and an external one.
One plan which has been proposed is to use Internet routable addresses on
the DMZ and to use a single entry in the DNS (and WINS) for each of these
machines. This would obviate the need for NAT, allow registration with the
real IP address and cause fewer headaches for our host master and the
firewall admin. I realize NAT provides a modicum of security. But I also
think it adds back a modicum of complexity. I know it clearly doesn't remove
the DMZ-to-Internal address problem, but it does resolve the additional
static routes to what should be a hidden network.
What are the pro's and con's of implementing this plan?
Dan
-------------------
Dan McGinn-Combs
[EMAIL PROTECTED]
Atlanta, Georgia
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
