RE: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?

• Previous message: Emily Conrad: "[fw-wiz] Best CheckPoint on BladeFusion,Alteon,Crossbeam, etc?"
• In reply to: David Lang: "Re: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?"
• Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?"
• Reply: Marcus J. Ranum: "RE: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?"
• Reply: R. DuFresne: "RE: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?"
• Reply: Dale W. Carder: "Re: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>
Date: Mon, 25 Jul 2005 20:12:58 -0400

What about when IPv6 becomes predominant on the net?
Am I mistaken that there doesn't seem to be any concept of NAT in the IPv6
specs?
I could be wrong, but thought I found that somewhere?

Erik

> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> Of David Lang
> Sent: Friday, July 22, 2005 8:27 PM
> To: Victor Williams
> Cc: Dave Piscitello; firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] Internet accessible screened subnet -
> use public orprivateIPs?
>
> On Fri, 22 Jul 2005, Victor Williams wrote:
>
> > Everyone has missed the point.
> >
> > The whole issue of using NAT or not has nothing to do with
> work associated
> > with either. The whole reason NAT was implemented was
> because of a very
> > finite (and quickly running out supply, dependending on who
> you ask) number
> > of publicly routable IP addresses. Instead of assigning
> every machine that
> > wanted internet access a public IP address, it was just
> more cost-effective
> > (IP addresses cost money) to use NAT or
> masquerading...whatever your lingo
> > is...to address those hosts that only needed outgoing
> access--who weren't
> > serving content.
>
> however, for a DMZ (the question that was asked) you are typicaly
> providing service to the Internet, and for that you run into
> a bunch of
> very interesting issues if you try to use NAT to reduce the
> number of IP
> addresses you use.
>
> David Lang
>
> > Whether you address your publicly accessible hosts directly
> with public ip
> > addresses or you use static NAT translations is up to the
> preference of the
> > administrator. If you have enough public IP addresses and
> $ isn't an object,
> > then your preference for assigning them all public IP
> addresses really
> > doesn't make a difference. If you don't have enough public
> IP addresses and
> > you have a limited budget and have to allow many services
> on the internet
> > with less public IP addresses, then it sounds like you'll
> be using NAT or
> > PAT.
> >
> > There is no clear-cut *better* way universally. Several
> different ways work
> > if you have your head screwed on straight.
> >
> > My personal preference is to use private ip addresses
> everywhere inside my
> > firewall...even in my DMZ. That way I control my public IP
> addresses at one
> > point only, and that's my firewall. If for some reason I
> change ISP's or my
> > ISP wants to change my IP address range (which hasn't
> happened in over 9
> > years), I make my IP address changes in two spots: my
> firewall(s), and my DNS
> > servers. Nothing else changes. To me, it's simpler.
> Others like to be
> > complicated...so YMMV.
> >
> >
> > David Lang wrote:
> >> On Fri, 22 Jul 2005, Dave Piscitello wrote:
> >>
> >>> Isn't this a question of whether you want to route or NAT?
> >>>
> >>> A server that is Internet-facing has to have (or be
> reachable via) a
> >>> public IP. If your ISP changes your block of public IP
> addresses, you
> >>> have to change:
> >>>
> >>> 1) the mapping between your private IP addresses and the
> new public
> >>> IP addresses (the static or 1:1 NAT case) or
> >>> 2) the IP addresses of all the servers, the IPs of the trusted and
> >>> external interfaces on the firewall, and the routing table (or
> >>> routing protocol configuration)
> >>>
> >>> (2) seems like a whole lot more work to me.
> >>
> >>
> >> first off, how frequently does your ISP reallocate your
> address range?
> >>
> >> secondly you are ignoring all the other work that you need
> to do when this
> >> change takes place. with all that in mind the difference
> in the amount of
> >> work seems a lot less.
> >>
> >> and as I said below, the trade off for simplifying this
> rare occurance of
> >> changeing your IP range comes with day-to-day costs in running NAT.
> >>
> >> David Lang
> >>
> >>>
> >>> On 21 Jul 2005 at 18:28, David Lang wrote:
> >>>
> >>>> On Thu, 21 Jul 2005, Paul D. Robertson wrote:
> >>>>
> >>>>> On Fri, 15 Jul 2005, Matt Bazan wrote:
> >>>>>
> >>>>>> Is there a preferred method of setting up a Internet facing
> >>>>>> screened subnet and the use of public or private IP addresses?
> >>>>>> Looking at redesinging our DMZ to only include public resources
> >>>>>> (www, smtp, imap, ftp). Presently we use a private IP address
> >>>>>> range for this that is NAT'ed at our firewall. Any reasons to
> >>>>>> change this policy to using public IPs in the DMZ? Thanks,
> >>>>>
> >>>>>
> >>>>> If you're NATing to your internal network, then a rework is
> >>>>> necessary- public stuff should be on its own
> (preferably) physical
> >>>>> subnet.
> >>>>>
> >>>>> IP addressing doesn't matter much, since you'll be letting stuff
> >>>>> through the most likely exploit vectors anyway.
> >>>>
> >>>>
> >>>> The thing I've been eharing for years about why NAT is
> better is that
> >>>> you may change ISP's and end up with a new set of IP
> addresses which
> >>>> are easier to change if you NAT.
> >>>>
> >>>> this may be true (I've actually never seen anyone
> acutally DO this),
> >>>> but you are trading one-time headaches (which I
> personally believe are
> >>>> no more severe then all the other changes that you need
> to make when
> >>>> changing things, firewalls, DNS, NAT tables, etc) for
> ongoing overhead
> >>>> (performance on your NAT device, troubleshooting, bugs in the NAT
> >>>> implementation, overloading of the NAT tables, etc)
> >>>>
> >>>> I would definantly have things that server the Internet
> use public
> >>>> addresses, once you get behind that layer and have
> devices that only
> >>>> talk to internal stuff, then make it all private addresses.
> >>>>
> >>>> David Lang
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> There are two ways of constructing a software design.
> One way is to
> >>>> make it so simple that there are obviously no
> deficiencies. And the
> >>>> other way is to make it so complicated that there are no obvious
> >>>> deficiencies.
> >>>> -- C.A.R. Hoare
> >>>> _______________________________________________
> >>>> firewall-wizards mailing list
> >>>> firewall-wizards@honor.icsalabs.com
> >>>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >>>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> firewall-wizards mailing list
> >>> firewall-wizards@honor.icsalabs.com
> >>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >>>
> >>
> >
>
> --
> There are two ways of constructing a software design. One way
> is to make it so simple that there are obviously no
> deficiencies. And the other way is to make it so complicated
> that there are no obvious deficiencies.
> -- C.A.R. Hoare
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Emily Conrad: "[fw-wiz] Best CheckPoint on BladeFusion,Alteon,Crossbeam, etc?"
• In reply to: David Lang: "Re: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?"
• Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?"
• Reply: Marcus J. Ranum: "RE: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?"
• Reply: R. DuFresne: "RE: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?"
• Reply: Dale W. Carder: "Re: [fw-wiz] Internet accessible screened subnet - use public orprivateIPs?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Racoon Problem & Cisco Tunnel ... Internet is going to have to go there. ... IPv4, IPv6, and NAT are ... My protocol developers have a few LANs at home and we happily use NAT there. ... (FreeBSD-Security) RE: Racoon Problem & Cisco Tunnel ... >networking for groups of workstations across NAT barriers difficult if you ... The engineers that designed all that wern't idiots - as they emphasized ... I'm saying that people that insist the problem is we haven't ... all switched over to IPv6 are idiots. ... (FreeBSD-Security) Re: Racoon Problem & Cisco Tunnel ... NAT are all just tools that I have to apply with "business sense." ... not inherently evil, nor is IPv6. ... My protocol developers have a few LANs at home and we happily use NAT ... (FreeBSD-Security) Re: Notifying user of open Internet access ... Windows won't have this problem anymore. ... NAT will be gone when the Internet goes to IPv6, ... (alt.computer.security) RE: Racoon Problem & Cisco Tunnel ... Interference with protocols like IPSec is one of the reasons ... When it comes to NAT, I'm with Vint Cerf--avoid it if at all ... Let's hasten the deployment of IPv6. ... large network from IPv4 to IPv6 had Vint Cerf's money. ... (FreeBSD-Security)