Can anyone tell me if the load imposed by NAT would cause noticable
delays in accessing the web server. Assuming the machine is not really
being taxed and there is a low volume of traffic to the web server. I
have a server that seems to just be sluggish. Could this be the reason?
Thanks
Bill
-----Original Message-----
From: paulk [SMTP:[EMAIL PROTECTED]]
Sent: Wednesday, May 24, 2000 2:59 PM
To: y.erin; fw-1-mailinglist
Cc: paulk
Subject: FW: Re: [FW1] Building a DMZ
It depends on what you are trying to do. If you want the servers in
your
DMZ to publicly accessible you will need to either use routeable
addresses
in your DMZ or configure a static NAT entry for each server. If these
NAT'd addresses are in the same IP subnet as the external IF of the
firewall you will also need to configure the firewall to proxy ARP for
the
Static NAT IP's. Finally You would also need to configure static host
routes for the routeable IP's pointing to the corresponding RFC 1918
(192.x.x.x) addresses. NAT will also add to the processing load on the
firewall since it will add the translation to whatever packet
processing is
going on.
If you use routeable IP's in your DMZ the administration will be
simpler
and it might improve firewall performance. I don't know about the
security
aspects though.
-PaulK
At 10:26 AM 5/24/2000, Erin Young wrote:
>I am building a DMZ comprised of 2 FW-1 firewalls. Should I use
private or
>public addresses in the DMZ. In other words, I was going to setup my
DMZ
>with public address on the external nic of the firewall facing the
>internet and have private addresses on the internal nic.
>
>The private addresses in the DMZ would be different from the private
>addresses in my internal network. Therefore, the external nic of my
>Internal firewall, the one connected to my private network and the
DMZ,
>will have addresses of the DMZ.
>
> (Public IP)
> x.x.x.x
> External Firewall
> 192.x.x.x
> *
> *
> DMZ*****Server(192.x.x.x)
> *
> *
> 192.x.x.x
> Internal Firewall
> x.x.x.x (Private IP)
>
>
>The management server will be in my private network. Will this cause a
>problem with pushing out policies and putkeys?
>
>What might be the pros and cons of this config?
>
>Also, can anyone let me know of any good sources of how to build a
secure DMZ?
>
>_______________________________________________________________________
_
>Get Your Private, Free E-mail from MSN Hotmail at
http://www.hotmail.com
>
>
>
>=======================================================================
=========
> To unsubscribe from this mailing list, please see the
instructions at
> http://www.checkpoint.com/services/mailing.html
>=======================================================================
=========
*********************************************
Paul Keser
Network Security Engineer
[EMAIL PROTECTED]
tel: 415.351.4037
fax: 415.474.6017
ShopExpert.com
1375 Sutter Street, Suite 400
San Francisco, CA 94109
*********************************************
========================================================================
========
To unsubscribe from this mailing list, please see the instructions
at
http://www.checkpoint.com/services/mailing.html
========================================================================
========
