Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs?

From: Victor Williams (vbwilliams_at_neb.rr.com)
Date: 07/23/05

  • Next message: David Lang: "Re: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?"
    To: David Lang <david.lang@digitalinsight.com>
    Date: Fri, 22 Jul 2005 19:21:06 -0500
    
    

    Everyone has missed the point.

    The whole issue of using NAT or not has nothing to do with work
    associated with either. The whole reason NAT was implemented was
    because of a very finite (and quickly running out supply, dependending
    on who you ask) number of publicly routable IP addresses. Instead of
    assigning every machine that wanted internet access a public IP address,
    it was just more cost-effective (IP addresses cost money) to use NAT or
    masquerading...whatever your lingo is...to address those hosts that only
    needed outgoing access--who weren't serving content.

    Whether you address your publicly accessible hosts directly with public
    ip addresses or you use static NAT translations is up to the preference
    of the administrator. If you have enough public IP addresses and $
    isn't an object, then your preference for assigning them all public IP
    addresses really doesn't make a difference. If you don't have enough
    public IP addresses and you have a limited budget and have to allow many
    services on the internet with less public IP addresses, then it sounds
    like you'll be using NAT or PAT.

    There is no clear-cut *better* way universally. Several different ways
    work if you have your head screwed on straight.

    My personal preference is to use private ip addresses everywhere inside
    my firewall...even in my DMZ. That way I control my public IP addresses
    at one point only, and that's my firewall. If for some reason I change
    ISP's or my ISP wants to change my IP address range (which hasn't
    happened in over 9 years), I make my IP address changes in two spots:
    my firewall(s), and my DNS servers. Nothing else changes. To me, it's
    simpler. Others like to be complicated...so YMMV.

    David Lang wrote:
    > On Fri, 22 Jul 2005, Dave Piscitello wrote:
    >
    >> Isn't this a question of whether you want to route or NAT?
    >>
    >> A server that is Internet-facing has to have (or be reachable via) a
    >> public IP. If your ISP changes your block of public IP addresses, you
    >> have to change:
    >>
    >> 1) the mapping between your private IP addresses and the new public
    >> IP addresses (the static or 1:1 NAT case) or
    >> 2) the IP addresses of all the servers, the IPs of the trusted and
    >> external interfaces on the firewall, and the routing table (or
    >> routing protocol configuration)
    >>
    >> (2) seems like a whole lot more work to me.
    >
    >
    > first off, how frequently does your ISP reallocate your address range?
    >
    > secondly you are ignoring all the other work that you need to do when
    > this change takes place. with all that in mind the difference in the
    > amount of work seems a lot less.
    >
    > and as I said below, the trade off for simplifying this rare occurance
    > of changeing your IP range comes with day-to-day costs in running NAT.
    >
    > David Lang
    >
    >>
    >> On 21 Jul 2005 at 18:28, David Lang wrote:
    >>
    >>> On Thu, 21 Jul 2005, Paul D. Robertson wrote:
    >>>
    >>>> On Fri, 15 Jul 2005, Matt Bazan wrote:
    >>>>
    >>>>> Is there a preferred method of setting up a Internet facing
    >>>>> screened subnet and the use of public or private IP addresses?
    >>>>> Looking at redesinging our DMZ to only include public resources
    >>>>> (www, smtp, imap, ftp). Presently we use a private IP address
    >>>>> range for this that is NAT'ed at our firewall. Any reasons to
    >>>>> change this policy to using public IPs in the DMZ? Thanks,
    >>>>
    >>>>
    >>>> If you're NATing to your internal network, then a rework is
    >>>> necessary- public stuff should be on its own (preferably) physical
    >>>> subnet.
    >>>>
    >>>> IP addressing doesn't matter much, since you'll be letting stuff
    >>>> through the most likely exploit vectors anyway.
    >>>
    >>>
    >>> The thing I've been eharing for years about why NAT is better is that
    >>> you may change ISP's and end up with a new set of IP addresses which
    >>> are easier to change if you NAT.
    >>>
    >>> this may be true (I've actually never seen anyone acutally DO this),
    >>> but you are trading one-time headaches (which I personally believe are
    >>> no more severe then all the other changes that you need to make when
    >>> changing things, firewalls, DNS, NAT tables, etc) for ongoing overhead
    >>> (performance on your NAT device, troubleshooting, bugs in the NAT
    >>> implementation, overloading of the NAT tables, etc)
    >>>
    >>> I would definantly have things that server the Internet use public
    >>> addresses, once you get behind that layer and have devices that only
    >>> talk to internal stuff, then make it all private addresses.
    >>>
    >>> David Lang
    >>>
    >>>
    >>>
    >>>
    >>>
    >>> --
    >>> There are two ways of constructing a software design. One way is to
    >>> make it so simple that there are obviously no deficiencies. And the
    >>> other way is to make it so complicated that there are no obvious
    >>> deficiencies.
    >>> -- C.A.R. Hoare
    >>> _______________________________________________
    >>> firewall-wizards mailing list
    >>> firewall-wizards@honor.icsalabs.com
    >>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >>>
    >>
    >>
    >>
    >> _______________________________________________
    >> firewall-wizards mailing list
    >> firewall-wizards@honor.icsalabs.com
    >> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >>
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: David Lang: "Re: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?"

    Relevant Pages

    • Re: NAT and ISP problem
      ... > I posted some days ago a problema about NAT and Internet Service Provider ... > with this ISP... ... > My firewall is a 2.6.12 kernel module which registers with netfilter hooks. ... > Giacomo S. Udine, Italy ...
      (comp.os.linux.networking)
    • Re: pix 506 config change help
      ... what a router is designed to do and that is routing. ... No need for NAT on the ISP router, ... currently configuring and the firewall. ...
      (comp.security.firewalls)
    • Re: pix 506 config change help
      ... what a router is designed to do and that is routing. ... No need for NAT on the ISP router, ... currently configuring and the firewall. ...
      (comp.security.firewalls)
    • Re: pix 506 config change help
      ... addresses on the outside interface of my cisco pix 506 firewall so ... that my isp can nat though via my new router one to one my new public ...
      (comp.security.firewalls)
    • Re: home network behind NAT and firewall ?
      ... >> real Firewall appliance with more than 20 systems at any given time. ... >> firewall provides for the ability to assign both public (not nat) and ... that would reset the router and allow remote control - it was noted ... >> LAN inside their network and it would never have to reach the ISP's ...
      (comp.security.firewalls)