[TriLUG] [OT] using public IP addresses or private addresses for the DMZ
Joseph Mack NA3T
jmack at wm7d.net
Fri Jul 8 16:11:50 EDT 2011
On Fri, 8 Jul 2011, Chris Bullock wrote:
> I spent the day meeting with a security consultant regarding our current
> network. They kindly reprimanded me for the way I have my DMZ vs what he called
> best practices. I shouldn't be questioning their opinions since I am probably
> going to pay them to redo my work but I have the following question regarding
> DMZ placement. I would like the opinion to see what a majority of the people
> think and why. Here are the 2 options.
>
> I have some public IP addresses provided by my ISPs. I have lets say 6 servers
> I need on my DMZ.
> Do I:
> 1. Give the servers Public IP addresses and create a DMZ interface on my
> firewall
> or
> 2. put the public IP addresses on my external interface, and put the servers in
> private IP space in a DMZ, off of a DMZ interface on the firewall.
well probably neither, but #2 is closer. Do you understand
this
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-DR.html#Pearthree
look at the two network LVS-DR
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-DR.html#lvs_dr_example
The RIPs should be private and routing should take advantage
of packets only going in one direction.
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
More information about the TriLUG
mailing list