> I'm currently in a Watchguard training. I'm going to make the WCP > Certificate. > > The trainer told me, that the "Drop-In configuration" (ProxyARP DMZ) is less > secure than the routed DMZ. I didn't say anything and thought "Uh, really? > Why?".
Good for you! > Is a ProxyARP DMZ less secure than a routed or staticNAT DMZ? > Are there even any security related differents? > > She told me, that staticNAT with a private DMZ is the better solution if you > want to save public IP's. I don't think so. > I think I run into problems with special applications/protocols if using > staticNAT (passiveFTP, PPTP?) > > Discussion is opened.... All three of the architecture you mention (static-NAT, routed, and proxy-arp) have the same basic packet flow: <internet> | Firewall - DMZ net Or possibly: <internet> | Firewall - DMZ net | Internal net The only difference between the "flavors" of DMZ you mention is what IP addresses and subnet lables get attached to each interface...the security (or lack thereof) depends entirely on what the firewall is doing with the packet data. If you've got a flexible mechanism for building firewall rules, it shouldn't matter which architecture you pick...you should be able to implement your desired firewall functionality with any of the DMZ flavors. NOTE: There are specific things you need to watch for depending on the DMZ architecture. For instance, the Dachstein firewall rules implement routed, static-nat, and proxy-arp DMZ rules in the forward chain, so the packets are blindly accepted in the input chain (to be sorted later). If you're running static-NAT or proxy-arp, the firewall probably has an IP that overlaps with the DMZ network, so you've just potentially opened your firewall's external IP to the world with no filtering! For the curious, that's why the dmz-in and dmz-spoof ipchains are created in this situation...ip's destined for the local box are routed back through the input rule chain, while packets truly destined for the DMZ are accepted in the input chain, then filtered in the forward chain. Charles Steinkuehler [EMAIL PROTECTED] _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user