Jason Costomiris writes: > On Sunday, February 2, 2003, at 11:11 PM, Dick St.Peters wrote: > > Giving a remote site access to the DMZ over the VPN is exactly the > > example intended. > > Ok, if that's the case, what's wrong with RFC 1918 space in the DMZ??? > If this DMZ is only ever accessed over a VPN, using globally routable > IP space is just plain wasteful.
A DMZ accessed _only_ over a VPN isn't much of a DMZ. The usual purpose for a DMZ is a place to locate bastion hosts that provide public services and run proxies allowing the internal network to access the internet without actually exchanging packets between the internal network and the internet. You want your bastions to be at globally routable IP addresses so the public can reach your public services, and you don't want NAT in the way so you don't restrict your proxying to NAT-tolerant applications. You generally want your internal network to have considerably more open access to your bastions than the internet does so your people can update their areas on the bastions. The point of a VPN is usually to extend the meaning of "internal" to other locations, so you want more open access from the VPN than from the internet. > You also seem hung up on this notion of a "virtual wire" and how you > seem to think that IPsec doesn't act like one. As another poster has > pointed out, an IPsec tunnel meets your definition of a "virtual wire". >From the FreeSWAN FAQ: "IPsec tunnels are not just virtual wires; they are virtual wires with built-in access controls." Quoted from http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/faq.html (If I had realized I was virtually quoting the FreeSWAN FAQ, I'd have cited it previously. The same sentence is in the older versions that I read long ago.) Other VPN technologies make tunnels that are virtual wires. I am an advocate of FreeSWAN for cases where I think IPsec is appropriate. The core difference between us seems to be that you think IPsec is always apprpriate, whereas I feel that most of the time its baggage outweighs its advantages. You want people to plan their networks around IPsec's rigidity, whereas I feel there's no reason to put up with that rigidity when you don't have to. -- Dick St.Peters, [EMAIL PROTECTED] -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list