Re: [fw-wiz] Internet accessible screened subnet - use public or private IPs?

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 07/21/05

  • Next message: Yehuda Goldenberg: "FW: [fw-wiz] VOIP versus PBX"
    To: Matt Bazan <Mbazan@onelegal.com>
    Date: Thu, 21 Jul 2005 13:56:17 -0400 (EDT)
    
    

    On Fri, 15 Jul 2005, Matt Bazan wrote:

    > Is there a preferred method of setting up a Internet facing screened
    > subnet and the use of public or private IP addresses? Looking at
    > redesinging our DMZ to only include public resources (www, smtp, imap,
    > ftp). Presently we use a private IP address range for this that is
    > NAT'ed at our firewall. Any reasons to change this policy to using
    > public IPs in the DMZ? Thanks,

    If you're NATing to your internal network, then a rework is necessary-
    public stuff should be on its own (preferably) physical subnet.

    IP addressing doesn't matter much, since you'll be letting stuff through
    the most likely exploit vectors anyway.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Yehuda Goldenberg: "FW: [fw-wiz] VOIP versus PBX"

    Relevant Pages

    • Re: W2K3 domain in DMZ
      ... > Yes a single domain DMZ ... > Private subnet on 2nd NIC ... > server, ...
      (microsoft.public.windows.server.security)
    • [fw-wiz] Internet accessible screened subnet - use public or private IPs?
      ... subnet and the use of public or private IP addresses? ... redesinging our DMZ to only include public resources (www, smtp, imap, ... Presently we use a private IP address range for this that is ... public IPs in the DMZ? ...
      (Firewall-Wizards)
    • Re: Add DMZ
      ... It's a way to import all my rules after switch to 3-legged firewall? ... If you have a class of valid IP's you want to use on the DMZ, ... If you want to use private addresses on the DMZ then you pick one private ... subnet that's outside your LAN range, assign an IP from that subnet to the ...
      (microsoft.public.isa)
    • Re: About Firewall configuration
      ... The Server machine is not DMZ, so can it use Private IP only? ... The router machine is a general router machine which provided by ISP, ... Give a lot of thought to your network design and what you want to do with ...
      (Fedora)
    • RE: ipfw, natd and routing question
      ... The first case diverts incoming packets for the DMZ, ... The second case fails to divert response packets for the inside, ... connected to our DMZ subnet, ... The information contained in this communication is confidential and is ...
      (FreeBSD-Security)