[TriLUG] [OT] using public IP addresses or private addresses for the DMZ
Eric Christensen
eric at christensenplace.us
Mon Jul 11 09:25:29 EDT 2011
On Sun, Jul 10, 2011 at 21:09, Aaron Joyner <aaron at joyner.ws> wrote:
> In my humble and probably flawed opinion, it mostly comes down to what
> packets reach the machine you're trying to protect.
Exactly, which is why I'll point out that IPv6 addressing will
generally not use NAT (hence, having publicly addressable addresses).
Using private IPs behind the NAT means that you are using the NAT as a
firewall. That's not a problem, really. If you use public IPs you
still need to use a firewall and not use the NAT. Setting up your DMZ
without NAT will probably be better/simpler and help you get ready for
IPv6 and as long as you are using a stateful firewall then you
shouldn't have any problems.
Taking from a discussion about VLANs, don't think of NAT as a security
feature but more as an IP management system with security
side-effects.
--Eric
More information about the TriLUG
mailing list