Re: [fw-wiz] Internet accessible screened subnet - use public or private IPs?

• Previous message: Paul D. Robertson: "Re: [fw-wiz] Discretionary WiFi Access"
• In reply to: Matt Bazan: "[fw-wiz] Internet accessible screened subnet - use public or private IPs?"
• Next in thread: David Lang: "Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs?"
• Reply: David Lang: "Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Matt Bazan <Mbazan@onelegal.com>
Date: Thu, 21 Jul 2005 13:56:17 -0400 (EDT)

On Fri, 15 Jul 2005, Matt Bazan wrote:

> Is there a preferred method of setting up a Internet facing screened
> subnet and the use of public or private IP addresses? Looking at
> redesinging our DMZ to only include public resources (www, smtp, imap,
> ftp). Presently we use a private IP address range for this that is
> NAT'ed at our firewall. Any reasons to change this policy to using
> public IPs in the DMZ? Thanks,

If you're NATing to your internal network, then a rework is necessary-
public stuff should be on its own (preferably) physical subnet.

IP addressing doesn't matter much, since you'll be letting stuff through
the most likely exploit vectors anyway.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Paul D. Robertson: "Re: [fw-wiz] Discretionary WiFi Access"
• In reply to: Matt Bazan: "[fw-wiz] Internet accessible screened subnet - use public or private IPs?"
• Next in thread: David Lang: "Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs?"
• Reply: David Lang: "Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: W2K3 domain in DMZ ... > Yes a single domain DMZ ... > Private subnet on 2nd NIC ... > server, ... (microsoft.public.windows.server.security) [fw-wiz] Internet accessible screened subnet - use public or private IPs? ... subnet and the use of public or private IP addresses? ... redesinging our DMZ to only include public resources (www, smtp, imap, ... Presently we use a private IP address range for this that is ... public IPs in the DMZ? ... (Firewall-Wizards) Re: Add DMZ ... It's a way to import all my rules after switch to 3-legged firewall? ... If you have a class of valid IP's you want to use on the DMZ, ... If you want to use private addresses on the DMZ then you pick one private ... subnet that's outside your LAN range, assign an IP from that subnet to the ... (microsoft.public.isa) RE: ipfw, natd and routing question ... The first case diverts incoming packets for the DMZ, ... The second case fails to divert response packets for the inside, ... connected to our DMZ subnet, ... The information contained in this communication is confidential and is ... (FreeBSD-Security) Re: Routing over two interfaces ... > want the default outgoing route to be on a public subnet, ... > incoming traffic on the private subnet succeed. ... (microsoft.public.windows.server.sbs)