[TriLUG] [OT] using public IP addresses or private addresses for the DMZ
bitmage at pobox.com
Fri Jul 8 16:04:33 EDT 2011
On 07/08/2011 04:01 PM, Chris Bullock wrote:
> I spent the day meeting with a security consultant regarding our current
> network. They kindly reprimanded me for the way I have my DMZ vs what he called
> best practices. I shouldn't be questioning their opinions since I am probably
> going to pay them to redo my work but I have the following question regarding
> DMZ placement. I would like the opinion to see what a majority of the people
> think and why. Here are the 2 options.
> I have some public IP addresses provided by my ISPs. I have lets say 6 servers
> I need on my DMZ.
> Do I:
> 1. Give the servers Public IP addresses and create a DMZ interface on my
> 2. put the public IP addresses on my external interface, and put the servers in
> private IP space in a DMZ, off of a DMZ interface on the firewall.
I'm using option 2. I can control what's getting forwarded where, and
get more use out of each IP address.
And yet less thanks have we than you. Users scowl at us, and reporters
give us scornful names. "Geek" I am to one fat man who lives a firewall
away from foes that would steal his identity or lay his little computer
in ruin, if it was not guarded ceaselessly. Yet we would not have it
Brian Daniels bitmage at pobox.com
More information about the TriLUG