[TriLUG] [OT] using public IP addresses or private addresses for the DMZ

[Brian Daniels]

On 07/08/2011 04:01 PM, Chris Bullock wrote:
> I spent the day meeting with a security consultant regarding our current
> network.  They kindly reprimanded me for the way I have my DMZ vs what he called
> best practices.  I shouldn't be questioning their opinions since I am probably
> going to pay them to redo my work but I have the following question regarding
> DMZ placement.  I would like the opinion to see what a majority of the people
> think and why.  Here are the 2 options.
>
> I have some public IP addresses provided by my ISPs.  I have lets say 6 servers
> I need on my DMZ.
> Do I:
> 1.  Give the servers Public IP addresses and create a DMZ interface on my
> firewall
> or
> 2.  put the public IP addresses on my external interface, and put the servers in
> private IP space in a DMZ, off of a DMZ interface on the firewall.
>

I'm using option 2.  I can control what's getting forwarded where, and 
get more use out of each IP address.

--Brian


-- 

And yet less thanks have we than you.  Users scowl at us, and reporters
give us scornful names.  "Geek" I am to one fat man who lives a firewall
away from foes that would steal his identity or lay his little computer
in ruin, if it was not guarded ceaselessly.  Yet we would not have it
otherwise.
                                     ---Aragorn, sysadmin.

Brian Daniels                  bitmage at pobox.com
       http://www.eviloverlord.net