Re: [fw-wiz] Internet accessible screened subnet - use public or private IPs?

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 07/21/05

  • Next message: Yehuda Goldenberg: "FW: [fw-wiz] VOIP versus PBX"
    To: Matt Bazan <Mbazan@onelegal.com>
    Date: Thu, 21 Jul 2005 13:56:17 -0400 (EDT)
    
    

    On Fri, 15 Jul 2005, Matt Bazan wrote:

    > Is there a preferred method of setting up a Internet facing screened
    > subnet and the use of public or private IP addresses? Looking at
    > redesinging our DMZ to only include public resources (www, smtp, imap,
    > ftp). Presently we use a private IP address range for this that is
    > NAT'ed at our firewall. Any reasons to change this policy to using
    > public IPs in the DMZ? Thanks,

    If you're NATing to your internal network, then a rework is necessary-
    public stuff should be on its own (preferably) physical subnet.

    IP addressing doesn't matter much, since you'll be letting stuff through
    the most likely exploit vectors anyway.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Yehuda Goldenberg: "FW: [fw-wiz] VOIP versus PBX"

    Relevant Pages

    • Re: W2K3 domain in DMZ
      ... > Yes a single domain DMZ ... > Private subnet on 2nd NIC ... > server, ...
      (microsoft.public.windows.server.security)
    • [fw-wiz] Internet accessible screened subnet - use public or private IPs?
      ... subnet and the use of public or private IP addresses? ... redesinging our DMZ to only include public resources (www, smtp, imap, ... Presently we use a private IP address range for this that is ... public IPs in the DMZ? ...
      (Firewall-Wizards)
    • Re: Add DMZ
      ... It's a way to import all my rules after switch to 3-legged firewall? ... If you have a class of valid IP's you want to use on the DMZ, ... If you want to use private addresses on the DMZ then you pick one private ... subnet that's outside your LAN range, assign an IP from that subnet to the ...
      (microsoft.public.isa)
    • Re: Routing over two interfaces
      ... > want the default outgoing route to be on a public subnet, ... > incoming traffic on the private subnet succeed. ...
      (microsoft.public.windows.server.sbs)
    • Re: Help with network adapters when setting up a cluster
      ... The problem was that the subnet mask for your private interface included ... Help with network adapters when setting up a cluster ... Microsoft CDO for Windows 2000 ...
      (microsoft.public.windows.server.clustering)