Hi F�bio
Okay, I'll try...
One of th things that matters is weather your hosts can be reached from the internet or not. AS I see it you have to allow a certain protocols (smtp, http) and these protocols only. So in the ability to be reached from the internet both methods are equally secure/insecure -It is more important to patch and secure your servers...
Then, if a server is compromised the hacker will normally try to reach the internet, either to pick up tools or to attack other hosts (Code red etc.) here again you decide what protocols to allow outbound and from what servers. NAT/public makes little difference.
Only in the case where your firewall stops and a hacker makes the ip forwarding work without the firewall, will private IP's protect you... This scenario is a bit unlikely...
My setup is with public addresses in my DMZ and private in the cooporate network. I changed to this setup some 3 months ago, for a number of reasons. Among others the trouble with the DNS setup, which is anything but trivial.
I like playing around with DNS and the main reason that I changed over was that we needed VPN between two networks, and in that case DNS became a bit hairy (two networks doing NAT and still interconnecting, sharing cooporate webbased applications, available from outside via SecureClient, using proxy servers and managers using their laptops on the road and in the office.... hmmmm)
Hope this addressed your initial question a bit better :-)
Best regards
Morten Jensen
-----Original Message-----
From: F�bio Rocha [mailto:[EMAIL PROTECTED]]
Sent: 16. december 2002 20:23
To: [EMAIL PROTECTED]
Subject: [FW-1] RES: [FW-1] What is recommended way to address a DMZ?
I am sure both methods work fine but I am really interested in the security
issues (if any) involved.
Regards and thanks for your time.
F�bio.
-----Mensagem original-----
De: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED]]Em nome de Julian
Burton
Enviada em: segunda-feira, 16 de dezembro de 2002 13:45
Para: [EMAIL PROTECTED]
Assunto: Re: [FW-1] What is recommended way to address a DMZ?
I've been involved with both in my time!
Others may have opinions on the advisability of public vs. private
addresses, but I can tell you that both work equally well.
Currently we run private addressing with NAT - mainly due to the small
number of public addresses we have.
Julian
|---------+---------------------------------------------->
| | F�bio Rocha <[EMAIL PROTECTED]> |
| | Sent by: Mailing list for |
| | discussion of Firewall-1 |
| | <[EMAIL PROTECTED]|
| | kpoint.com> |
| | |
| | |
| | 16/12/2002 13:45 |
| | Please respond to Mailing list for |
| | discussion of Firewall-1 |
| | |
|---------+---------------------------------------------->
>---------------------------------------------------------------------------
--------------------------------------------------------|
|
|
| To: [EMAIL PROTECTED]
|
| cc:
|
| Subject: [FW-1] What is recommended way to address a DMZ?
|
>---------------------------------------------------------------------------
--------------------------------------------------------|
Hi all,
I need to create a DMZ on my firewall and I have been thinking how I should
address it, the possibilities are:
1. Use public Internet addresses.
2. Use private addresses and do the required translations on the firewall.
What is the best to do? What are the pros and cons of each addressing
method? I would like to hear your opinions on the subject.
Thanks in advance,
F�bio Rocha.
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet.
**********************************************************************
Zenith Insurance Management Limited Registered No. 3805632
Registered @ Zenith House, Market Place, Haywards Heath,
West Sussex, RH16 1DB.
NOTICE:
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the [EMAIL PROTECTED] and delete the message
and any attachments accompanying it immediately.
**********************************************************************
________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet.
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
