Ron Shannon
2002-06-07 21:02:22 UTC
In a previous thread, Tom listed advantages (reproduced below) of Proxy
ARP over NAT. They are great reasons, but I have one reservation. By
using private addresses with NAT for servers in my DMZ, I can granularly
allow specific traffic, such as to/from the SMTP gateway/relay in the
DMZ, to connect inbound from the DMZ to an internal (LOC) mail server,
and know that it comes only from a non-routable private address. I get
this warm feeling knowing that only a non-routable private address from
the DMZ is allowed on those one or two inbound connections, as opposed
to a public address deployed via Proxy ARP.
Granted, anti-spoofing, etc., on the NET interface should help protect
from attackers using my own public IP's as their source address, but I
feel more secure knowing the connections I'm letting into the internal
LAN from the DMZ have the add'l. restriction of being private IP's only,
therefore even less likely to sneak through the NET interface. Am I
correct that this might be a valid, even if not completely persuasive,
reason for using NAT in the DMZ instead Proxy ARP, and/or has my
architectural paranoia truly gone over the edge? :-)
Ron
-----------------------------------------------
[Proxy ARP advantages, from shorewall-users, 2/14/02
thread title: "Shorewall Newbie: DMZ and VPN"]
A) Servers are known by exactly 1 IP address.
- You don't need different Bind 9 DNS views for DMZ and for other
users; or
- You avoid kludges whereby intra-DMZ traffic has to be routed
through a firewall just to do NAT (I gag every time I see people doing
that).
- You avoid self-identity problems with your servers (server doesn't
know its FQDN or knows the wrong one).
B) You avoid problems with applications that don't deal well with NAT.
------------------------------------------------
ARP over NAT. They are great reasons, but I have one reservation. By
using private addresses with NAT for servers in my DMZ, I can granularly
allow specific traffic, such as to/from the SMTP gateway/relay in the
DMZ, to connect inbound from the DMZ to an internal (LOC) mail server,
and know that it comes only from a non-routable private address. I get
this warm feeling knowing that only a non-routable private address from
the DMZ is allowed on those one or two inbound connections, as opposed
to a public address deployed via Proxy ARP.
Granted, anti-spoofing, etc., on the NET interface should help protect
from attackers using my own public IP's as their source address, but I
feel more secure knowing the connections I'm letting into the internal
LAN from the DMZ have the add'l. restriction of being private IP's only,
therefore even less likely to sneak through the NET interface. Am I
correct that this might be a valid, even if not completely persuasive,
reason for using NAT in the DMZ instead Proxy ARP, and/or has my
architectural paranoia truly gone over the edge? :-)
Ron
-----------------------------------------------
[Proxy ARP advantages, from shorewall-users, 2/14/02
thread title: "Shorewall Newbie: DMZ and VPN"]
A) Servers are known by exactly 1 IP address.
- You don't need different Bind 9 DNS views for DMZ and for other
users; or
- You avoid kludges whereby intra-DMZ traffic has to be routed
through a firewall just to do NAT (I gag every time I see people doing
that).
- You avoid self-identity problems with your servers (server doesn't
know its FQDN or knows the wrong one).
B) You avoid problems with applications that don't deal well with NAT.
------------------------------------------------