What is the reasoning of your security manager? I am not suggesting there
is necessarily a "right" or a "wrong" reason or answer here. I am merely
curious about the thought process.
My own preference would be to have a single firewall at the point in
internet connection, and do all NAT/PAT at that point. The DMZ can use
private addresses with NAT or use public addresses. Further protection
offered to the servers on the DMZ through detailed and specific access lists
or conduits.
I don't see any advantage to using public address space for WAN links, even
if you were using public addressing for your inside hosts. On the other
hand, I have often found myself admiring the logic of those who sign my
paychecks. :->
Some folks attempt to secure their inside environments further by creating
multiple security domains, protected by multiple firewalls. Sure, why not?
Some folks further refine the concept by using different firewall vendors at
different points, thus offering further stumbling blocks to intruders.
Again, why not? It depends upon how much you value your resources versus how
much time you want to spend managing the confusion.
One begins to see the advantage of a clear, well thought out written
security policy, built around the identification of resources of value, the
quantification of risk associated with the compromise of those resources,
and the determination of who should have access to which resources under
what circumstances. From there, the specifics of design become a bit easier
to deal with, and questions such as those of your security manager become
easier to answer.
HTH / FWIW
Chuck
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Steve Smith
Sent: Tuesday, August 22, 2000 1:17 PM
To: '[EMAIL PROTECTED]'
Subject: security
<< File: Steve Smith.vcf >> Hey gang, a little OT but here is goes. I need
a few "expert" opinions on a
sore subject.
If you have a big WAN, ATM DS3 connecting 6 cities, with a single internet
access point. Our "security" manger feels that we should have public IPs
running in our DMZ and our WAN from city to city. Then NAT/PAT into each
loction. The other way would be to have a DMZ at the internet access point,
leave them public for web servers and such, then NAT/PAT through the
firewall for the rest of the WAN.
Any feelings?
Thanks in advance.
Steve
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
