RE: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?

lordchariot_at_earthlink.net
Date: 07/26/05

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs?"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 25 Jul 2005 20:12:58 -0400
    
    

    What about when IPv6 becomes predominant on the net?
    Am I mistaken that there doesn't seem to be any concept of NAT in the IPv6
    specs?
    I could be wrong, but thought I found that somewhere?

    Erik

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    > Of David Lang
    > Sent: Friday, July 22, 2005 8:27 PM
    > To: Victor Williams
    > Cc: Dave Piscitello; firewall-wizards@honor.icsalabs.com
    > Subject: Re: [fw-wiz] Internet accessible screened subnet -
    > use public orprivateIPs?
    >
    > On Fri, 22 Jul 2005, Victor Williams wrote:
    >
    > > Everyone has missed the point.
    > >
    > > The whole issue of using NAT or not has nothing to do with
    > work associated
    > > with either. The whole reason NAT was implemented was
    > because of a very
    > > finite (and quickly running out supply, dependending on who
    > you ask) number
    > > of publicly routable IP addresses. Instead of assigning
    > every machine that
    > > wanted internet access a public IP address, it was just
    > more cost-effective
    > > (IP addresses cost money) to use NAT or
    > masquerading...whatever your lingo
    > > is...to address those hosts that only needed outgoing
    > access--who weren't
    > > serving content.
    >
    > however, for a DMZ (the question that was asked) you are typicaly
    > providing service to the Internet, and for that you run into
    > a bunch of
    > very interesting issues if you try to use NAT to reduce the
    > number of IP
    > addresses you use.
    >
    > David Lang
    >
    > > Whether you address your publicly accessible hosts directly
    > with public ip
    > > addresses or you use static NAT translations is up to the
    > preference of the
    > > administrator. If you have enough public IP addresses and
    > $ isn't an object,
    > > then your preference for assigning them all public IP
    > addresses really
    > > doesn't make a difference. If you don't have enough public
    > IP addresses and
    > > you have a limited budget and have to allow many services
    > on the internet
    > > with less public IP addresses, then it sounds like you'll
    > be using NAT or
    > > PAT.
    > >
    > > There is no clear-cut *better* way universally. Several
    > different ways work
    > > if you have your head screwed on straight.
    > >
    > > My personal preference is to use private ip addresses
    > everywhere inside my
    > > firewall...even in my DMZ. That way I control my public IP
    > addresses at one
    > > point only, and that's my firewall. If for some reason I
    > change ISP's or my
    > > ISP wants to change my IP address range (which hasn't
    > happened in over 9
    > > years), I make my IP address changes in two spots: my
    > firewall(s), and my DNS
    > > servers. Nothing else changes. To me, it's simpler.
    > Others like to be
    > > complicated...so YMMV.
    > >
    > >
    > > David Lang wrote:
    > >> On Fri, 22 Jul 2005, Dave Piscitello wrote:
    > >>
    > >>> Isn't this a question of whether you want to route or NAT?
    > >>>
    > >>> A server that is Internet-facing has to have (or be
    > reachable via) a
    > >>> public IP. If your ISP changes your block of public IP
    > addresses, you
    > >>> have to change:
    > >>>
    > >>> 1) the mapping between your private IP addresses and the
    > new public
    > >>> IP addresses (the static or 1:1 NAT case) or
    > >>> 2) the IP addresses of all the servers, the IPs of the trusted and
    > >>> external interfaces on the firewall, and the routing table (or
    > >>> routing protocol configuration)
    > >>>
    > >>> (2) seems like a whole lot more work to me.
    > >>
    > >>
    > >> first off, how frequently does your ISP reallocate your
    > address range?
    > >>
    > >> secondly you are ignoring all the other work that you need
    > to do when this
    > >> change takes place. with all that in mind the difference
    > in the amount of
    > >> work seems a lot less.
    > >>
    > >> and as I said below, the trade off for simplifying this
    > rare occurance of
    > >> changeing your IP range comes with day-to-day costs in running NAT.
    > >>
    > >> David Lang
    > >>
    > >>>
    > >>> On 21 Jul 2005 at 18:28, David Lang wrote:
    > >>>
    > >>>> On Thu, 21 Jul 2005, Paul D. Robertson wrote:
    > >>>>
    > >>>>> On Fri, 15 Jul 2005, Matt Bazan wrote:
    > >>>>>
    > >>>>>> Is there a preferred method of setting up a Internet facing
    > >>>>>> screened subnet and the use of public or private IP addresses?
    > >>>>>> Looking at redesinging our DMZ to only include public resources
    > >>>>>> (www, smtp, imap, ftp). Presently we use a private IP address
    > >>>>>> range for this that is NAT'ed at our firewall. Any reasons to
    > >>>>>> change this policy to using public IPs in the DMZ? Thanks,
    > >>>>>
    > >>>>>
    > >>>>> If you're NATing to your internal network, then a rework is
    > >>>>> necessary- public stuff should be on its own
    > (preferably) physical
    > >>>>> subnet.
    > >>>>>
    > >>>>> IP addressing doesn't matter much, since you'll be letting stuff
    > >>>>> through the most likely exploit vectors anyway.
    > >>>>
    > >>>>
    > >>>> The thing I've been eharing for years about why NAT is
    > better is that
    > >>>> you may change ISP's and end up with a new set of IP
    > addresses which
    > >>>> are easier to change if you NAT.
    > >>>>
    > >>>> this may be true (I've actually never seen anyone
    > acutally DO this),
    > >>>> but you are trading one-time headaches (which I
    > personally believe are
    > >>>> no more severe then all the other changes that you need
    > to make when
    > >>>> changing things, firewalls, DNS, NAT tables, etc) for
    > ongoing overhead
    > >>>> (performance on your NAT device, troubleshooting, bugs in the NAT
    > >>>> implementation, overloading of the NAT tables, etc)
    > >>>>
    > >>>> I would definantly have things that server the Internet
    > use public
    > >>>> addresses, once you get behind that layer and have
    > devices that only
    > >>>> talk to internal stuff, then make it all private addresses.
    > >>>>
    > >>>> David Lang
    > >>>>
    > >>>>
    > >>>>
    > >>>>
    > >>>>
    > >>>> --
    > >>>> There are two ways of constructing a software design.
    > One way is to
    > >>>> make it so simple that there are obviously no
    > deficiencies. And the
    > >>>> other way is to make it so complicated that there are no obvious
    > >>>> deficiencies.
    > >>>> -- C.A.R. Hoare
    > >>>> _______________________________________________
    > >>>> firewall-wizards mailing list
    > >>>> firewall-wizards@honor.icsalabs.com
    > >>>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > >>>>
    > >>>
    > >>>
    > >>>
    > >>> _______________________________________________
    > >>> firewall-wizards mailing list
    > >>> firewall-wizards@honor.icsalabs.com
    > >>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > >>>
    > >>
    > >
    >
    > --
    > There are two ways of constructing a software design. One way
    > is to make it so simple that there are obviously no
    > deficiencies. And the other way is to make it so complicated
    > that there are no obvious deficiencies.
    > -- C.A.R. Hoare
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Internet accessible screened subnet - use public orprivate IPs?"

    Relevant Pages

    • Re: [opensuse] Moving to IPv6
      ... other people in key postions do and have seen to it that ipv6 got invented and then implemented in all the major hardware and software by now. ... By insisting on using NAT in situations where it's not actually required you shoot yourself in the foot, because developers can not then develop the cool new things that NAT makes impossible. ... As in pretty much every other area of life, destruction is far easier than construction. ... It wouldn't bother me too much if we made it a rule that NAT was not allowed anywhere on the internet. ...
      (SuSE)
    • RE: Racoon Problem & Cisco Tunnel
      ... Internet is going to have to go there. ... IPv4, IPv6, and NAT are ... My protocol developers have a few LANs at home and we happily use NAT there. ...
      (FreeBSD-Security)
    • Re: Antivirus und spybot
      ... Bei IPv4 und NAT gibt es sie nicht auf den einzelnen Endgeraeten, ... global geroutete Adressen bei IPv6. ... Der groesste Vorteil von IPv6 isz die fehlende Notwendigkeit fuer NAT. ... duer den das Internet nicht nur aus dem WWW und evt. ...
      (de.comp.os.unix.linux.misc)
    • Re: Future of pf / firewall in FreeBSD =?UTF-8?Q?=3F=20-=20does?= =?UTF-8?Q?=20it=20have
      ... IPFilter 5 does IPv6 NAT. ... NAT66 is a specific implementation of IPv6 NAT behaviour. ... "All systems behind a stateful firewall with an appropriate rule set? ... Consider a small site with uplinks to two service providers: it can use ULA ...
      (freebsd-current)