> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, March 27, 2001 8:44 AM
> To: [EMAIL PROTECTED]
> Subject: Thoughts on the Optimium DMZ Configurations
>
>
> I have a couple of questions for general comment regarding DMZ
> configurations. [...]
> My current configuration employs a firewall with 3 NIC's.[...]
> At present, the DMZ network is using a 192.168
> address and uses NAT
> and proxy arp on the firewall. In effect this is a hidden network.
>
> The problem with this configuration is that in order for the
> RPC connection
> to work the WinNT machines must register with their WINS
> servers (inside).
> Due to a Microsoft oversight, they must use their real IP
> address rather
> than the NAT'ed address. [...]
Yuck. By the way, I don't think that RPC actually requires NetBIOS to work.
If you have a look at some of the Exchange setup docs, they just pass RPC
portmapper (TCP 135) traffic and allow a couple of service ports - no
NetBIOS at all.
If you really only need RPC, you're saved. If you _do_ need NetBT, oh well.
> One plan which has been proposed is to use Internet routable
> addresses on
> the DMZ and to use a single entry in the DNS (and WINS) for
> each of these
> machines. This would obviate the need for NAT, allow
> registration with the
> real IP address and cause fewer headaches for our host master and the
> firewall admin. I realize NAT provides a modicum of security.
> But I also
> think it adds back a modicum of complexity. I know it clearly
> doesn't remove
> the DMZ-to-Internal address problem, but it does resolve the
> additional
> static routes to what should be a hidden network.
>
> What are the pro's and con's of implementing this plan?
If NAT is causing you grief, I agree that you should probably get rid of it.
You've already busted most of your security by having the DMZ servers
talking NetBT through the firewall anyway, and NAT mostly secures the
addresses that are being translated (192.168 in this case).
Also, what's wrong with using 192.168 addresses and just not NAT'ing when
the traffic is going DMZ <--> Internal?
Just a few thoughts...
> Dan
>
> -------------------
> Dan McGinn-Combs
> [EMAIL PROTECTED]
> Atlanta, Georgia
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
