I'm currently in a Watchguard training. I'm going to make the WCP
Certificate.
The trainer told me, that the Drop-In configuration (ProxyARP DMZ) is
less
secure than the routed DMZ. I didn't say anything and thought Uh, really?
Why?.
Good for you!
Is a ProxyARP DMZ less secure than a routed or staticNAT DMZ?
Are there even any security related differents?
She told me, that staticNAT with a private DMZ is the better solution if
you
want to save public IP's. I don't think so.
I think I run into problems with special applications/protocols if using
staticNAT (passiveFTP, PPTP?)
Discussion is opened
All three of the architecture you mention (static-NAT, routed, and
proxy-arp) have the same basic packet flow:
internet
|
Firewall - DMZ net
Or possibly:
internet
|
Firewall - DMZ net
|
Internal net
The only difference between the flavors of DMZ you mention is what IP
addresses and subnet lables get attached to each interface...the security
(or lack thereof) depends entirely on what the firewall is doing with the
packet data.
If you've got a flexible mechanism for building firewall rules, it shouldn't
matter which architecture you pick...you should be able to implement your
desired firewall functionality with any of the DMZ flavors.
NOTE: There are specific things you need to watch for depending on the DMZ
architecture. For instance, the Dachstein firewall rules implement routed,
static-nat, and proxy-arp DMZ rules in the forward chain, so the packets are
blindly accepted in the input chain (to be sorted later). If you're running
static-NAT or proxy-arp, the firewall probably has an IP that overlaps with
the DMZ network, so you've just potentially opened your firewall's external
IP to the world with no filtering! For the curious, that's why the dmz-in
and dmz-spoof ipchains are created in this situation...ip's destined for the
local box are routed back through the input rule chain, while packets truly
destined for the DMZ are accepted in the input chain, then filtered in the
forward chain.
Charles Steinkuehler
[EMAIL PROTECTED]
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user