[TriLUG] [OT] using public IP addresses or private addresses for the DMZ

Joseph Mack NA3T jmack at wm7d.net
Fri Jul 8 16:11:50 EDT 2011


On Fri, 8 Jul 2011, Chris Bullock wrote:

> I spent the day meeting with a security consultant regarding our current
> network.  They kindly reprimanded me for the way I have my DMZ vs what he called
> best practices.  I shouldn't be questioning their opinions since I am probably
> going to pay them to redo my work but I have the following question regarding
> DMZ placement.  I would like the opinion to see what a majority of the people
> think and why.  Here are the 2 options.
>
> I have some public IP addresses provided by my ISPs.  I have lets say 6 servers
> I need on my DMZ.
> Do I:
> 1.  Give the servers Public IP addresses and create a DMZ interface on my
> firewall
> or
> 2.  put the public IP addresses on my external interface, and put the servers in
> private IP space in a DMZ, off of a DMZ interface on the firewall.

well probably neither, but #2 is closer. Do you understand 
this

http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-DR.html#Pearthree

look at the two network LVS-DR

http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-DR.html#lvs_dr_example

The RIPs should be private and routing should take advantage 
of packets only going in one direction.

Joe

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!



More information about the TriLUG mailing list