> I'm currently in a Watchguard training. I'm going to make the WCP
> Certificate.
>
> The trainer told me, that the "Drop-In configuration" (ProxyARP DMZ) is
less
> secure than the routed DMZ. I didn't say anything and thought "Uh, really?
> Why?".
Good for you!
> Is a ProxyARP DMZ less secure than a routed or staticNAT DMZ?
> Are there even any security related differents?
>
> She told me, that staticNAT with a private DMZ is the better solution if
you
> want to save public IP's. I don't think so.
> I think I run into problems with special applications/protocols if using
> staticNAT (passiveFTP, PPTP?)
>
> Discussion is opened....
All three of the architecture you mention (static-NAT, routed, and
proxy-arp) have the same basic packet flow:
<internet>
|
Firewall - DMZ net
Or possibly:
<internet>
|
Firewall - DMZ net
|
Internal net
The only difference between the "flavors" of DMZ you mention is what IP
addresses and subnet lables get attached to each interface...the security
(or lack thereof) depends entirely on what the firewall is doing with the
packet data.
If you've got a flexible mechanism for building firewall rules, it shouldn't
matter which architecture you pick...you should be able to implement your
desired firewall functionality with any of the DMZ flavors.
NOTE: There are specific things you need to watch for depending on the DMZ
architecture. For instance, the Dachstein firewall rules implement routed,
static-nat, and proxy-arp DMZ rules in the forward chain, so the packets are
blindly accepted in the input chain (to be sorted later). If you're running
static-NAT or proxy-arp, the firewall probably has an IP that overlaps with
the DMZ network, so you've just potentially opened your firewall's external
IP to the world with no filtering! For the curious, that's why the dmz-in
and dmz-spoof ipchains are created in this situation...ip's destined for the
local box are routed back through the input rule chain, while packets truly
destined for the DMZ are accepted in the input chain, then filtered in the
forward chain.
Charles Steinkuehler
[EMAIL PROTECTED]
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
