In a previous thread, Tom listed advantages (reproduced below) of Proxy ARP over NAT. They are great reasons, but I have one reservation. By using private addresses with NAT for servers in my DMZ, I can granularly allow specific traffic, such as to/from the SMTP gateway/relay in the DMZ, to connect inbound from the DMZ to an internal (LOC) mail server, and know that it comes only from a non-routable private address. I get this warm feeling knowing that only a non-routable private address from the DMZ is allowed on those one or two inbound connections, as opposed to a public address deployed via Proxy ARP. Granted, anti-spoofing, etc., on the NET interface should help protect from attackers using my own public IP''s as their source address, but I feel more secure knowing the connections I''m letting into the internal LAN from the DMZ have the add''l. restriction of being private IP''s only, therefore even less likely to sneak through the NET interface. Am I correct that this might be a valid, even if not completely persuasive, reason for using NAT in the DMZ instead Proxy ARP, and/or has my architectural paranoia truly gone over the edge? :-) Ron ----------------------------------------------- [Proxy ARP advantages, from shorewall-users, 2/14/02 thread title: "Shorewall Newbie: DMZ and VPN"] A) Servers are known by exactly 1 IP address. - You don''t need different Bind 9 DNS views for DMZ and for other users; or - You avoid kludges whereby intra-DMZ traffic has to be routed through a firewall just to do NAT (I gag every time I see people doing that). - You avoid self-identity problems with your servers (server doesn''t know its FQDN or knows the wrong one). B) You avoid problems with applications that don''t deal well with NAT. ------------------------------------------------
On Fri, 7 Jun 2002, Ron Shannon wrote:> In a previous thread, Tom listed advantages (reproduced below) of Proxy > ARP over NAT. They are great reasons, but I have one reservation. By > using private addresses with NAT for servers in my DMZ, I can granularly > allow specific traffic, such as to/from the SMTP gateway/relay in the > DMZ, to connect inbound from the DMZ to an internal (LOC) mail server, > and know that it comes only from a non-routable private address. I get > this warm feeling knowing that only a non-routable private address from > the DMZ is allowed on those one or two inbound connections, as opposed > to a public address deployed via Proxy ARP. > > Granted, anti-spoofing, etc., on the NET interface should help protect > from attackers using my own public IP''s as their source address, but I > feel more secure knowing the connections I''m letting into the internal > LAN from the DMZ have the add''l. restriction of being private IP''s only, > therefore even less likely to sneak through the NET interface. Am I > correct that this might be a valid, even if not completely persuasive, > reason for using NAT in the DMZ instead Proxy ARP, and/or has my > architectural paranoia truly gone over the edge? :-) >Your paranoia might have been justified under ipchains but not under iptables. In Shorewall, the traffic source and destination are identified by both interface and ip address rather than by ip address alone. Take a look at the structure of the Shorewall ruleset to see what I mean -- if you have a three-interface setup with zones net, dmz and loc the only traffic going through the "dmz2loc" chain is traffic that come into the firewall from the dmz interface and that goes out of the firewall via the loc interface. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom wrote:=20> Your paranoia might have been justified under ipchains but not under > iptables. In Shorewall, the traffic source and destination=20 > are identified > by both interface and ip address rather than by ip address=20 > alone. Take a=20 > look at the structure of the Shorewall ruleset to see what I=20 > mean -- if=20 > you have a three-interface setup with zones net, dmz and=20 > loc the only=20 > traffic going through the "dmz2loc" chain is traffic that=20 > come into the=20 > firewall from the dmz interface and that goes out of the=20 > firewall via the=20 > loc interface.=20 Ah, yes. Thanks for setting me straight(er), which is great=20 because I''m really eager to take advantage of all those Proxy=20 ARP advantages. :-) =20
Ron Shannon wrote:> ... > Ah, yes. Thanks for setting me straight(er), which is great > because I''m really eager to take advantage of all those Proxy > ARP advantages. :-)Here''s a very good reason for using NAT for your DMZ server(s): You only have 1 external IP address. :-) Paul http://paulgear.webhop.net
On Sat, 8 Jun 2002, Paul Gear wrote:> > Here''s a very good reason for using NAT for your DMZ server(s): You only > have 1 external IP address. :-) >Well yes, there is that problem :-) -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net