On Tue, 25 Jul 2000 14:51:25 -0400, you wrote: >> You can always use IP passthrough on the DMZ (with public IPs). We >> have moved to that sort of setup in which case the firewall ever >> chokes you just remove it and put a secondary IP on your border router >> until you get the firewall back in place. > >There's nothing wrong with that, but the issue that Mr. Davies brought >up was running services on non-standard ports, which is the same whether >you are running NAT or Passthrough. non-standard ports on the inside should be fine if you are tunneling...I must have missed that
> >Since the NAT for servers has to be static, the security features of >using NAT vs IP Passthrough on the DMZ are probably about even, but >using NAT still allows you a lot more flexibility in configuration, >and can save IP addresses if you can use one IP address for two or >more services running on different machines. I don't agree here but I'm coming from an ISP persepective....which is a quite different approach when it comes to a DMZ. > >Because of the minimal hardware requirements of the GNAT Box, I >would keep a full spare in any situation where uptime is critical. >Swapping in the spare GNAT Box would probably be quicker than >removing the GNAT Box to connect your servers directly to the >router (no cables to re-route!), and has the added advantage of >not taking the PRO network off the Internet. Actually it is much more simple when you have things VLAN in a switch. If the gnatbox goes down you don't even have to hit the NOC, get into the switch remove the VLAN, go into the border router add a secondary IP...back up and running until you get someone to the NOC. The other big reason for using public addresses on a DMZ is an already VERY large configured base of servers with public IPs and not having to reconfigure them all with private addresses. Keep in mind I'm talking strictly DMZ here. > >Mike Burden >Lynk Systems >(616)532-4985 >[EMAIL PROTECTED]
