[isalist] Re: DMZ Route vs NAT

• From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
• To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 31 Dec 2009 10:39:38 -0800

You know I did that just for you. I print them all in color on glossy paper and 
then burn them on the beach :D



On Dec 31, 2009, at 10:16 AM, "Thomas W Shinder" 
<tshinder@xxxxxxxxxxx<mailto:tshinder@xxxxxxxxxxx>> wrote:

Oh BTW – RE:  your Carbon footprint. Get off the Al Gore cash train (unless 
you’re getting some kickbacks, then that’s cool)

I printed this email 500 times. Now I have to go to the store and buy another 
ream.
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Thursday, December 31, 2009 11:59 AM
To: <mailto:isalist@xxxxxxxxxxxxx> 
isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] DMZ Route vs NAT

So, Steve and I were discussing network topologies the other day as we often 
do, and we were talking about the network relationship between the internal 
network and one’s DMZ perimeter in regard to “best practices” and security.

I always like to set up a NAT relationship from the internal network to the DMZ 
perimeter and set publishing rules from the DMZ to internal if necessary, i.e. 
SMTP publishing.  I’ll publish SMTP from the Internet to the DMZ edge, process 
mail, and then publish from the DMZ to the Internal Exchange box.

However, I think most people use a “route” for ease of management.  A route 
would be less secure since any compromise of a DMZ asset would result in any 
access rules automatically allowing access into the internal network.  
Typically,  a published service would have an application layer filter applied 
which would mitigate the leverage one could apply to such a compromise.

What are the group thoughts on this?  NAT is more difficult to manage given the 
“directional” aspects of the relationship as well as the added overhead of 
publishing anything where the DMZ unit must initiate connections to the 
internal network.

I just wondered what the rest of you guys/gals did.

T

____________________
Thor
<thor@xxxxxxxxxxxxxxx>thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>
<www.hammerofgod.com>www.hammerofgod.com<http://www.hammerofgod.com>

<image001.jpg>  Think Carbon Footprint.  Like mine on your ass if you print 
this you wasteful bastard!

• Follow-Ups:
  • [isalist] Re: DMZ Route vs NAT
    • From: Thomas W Shinder

• References:
  • [isalist] DMZ Route vs NAT
    • From: Thor (Hammer of God)
  • [isalist] Re: DMZ Route vs NAT
    • From: Thomas W Shinder

Other related posts:

• » [isalist] DMZ Route vs NAT- Thor (Hammer of God)
• » [isalist] Re: DMZ Route vs NAT- Jerry Young
• » [isalist] Re: DMZ Route vs NAT- Thomas W Shinder
• » [isalist] Re: DMZ Route vs NAT- Thomas W Shinder
• » [isalist] Re: DMZ Route vs NAT- Thomas W Shinder
• » [isalist] Re: DMZ Route vs NAT- Jerry Young
• » [isalist] Re: DMZ Route vs NAT- Thor (Hammer of God)
• » [isalist] Re: DMZ Route vs NAT - Thor (Hammer of God)
• » [isalist] Re: DMZ Route vs NAT- Thomas W Shinder
• » [isalist] Re: DMZ Route vs NAT- Thomas W Shinder
• » [isalist] Re: DMZ Route vs NAT- Thor (Hammer of God)
• » [isalist] Re: DMZ Route vs NAT- Thor (Hammer of God)
• » [isalist] Re: DMZ Route vs NAT- Greg Mulholland
• » [isalist] Re: DMZ Route vs NAT- Thor (Hammer of God)
• » [isalist] Re: DMZ Route vs NAT- Thor (Hammer of God)
• » [isalist] Re: DMZ Route vs NAT- Jim Harrison
• » [isalist] Re: DMZ Route vs NAT- Thor (Hammer of God)
• » [isalist] Re: DMZ Route vs NAT- Jim Harrison
• » [isalist] Re: DMZ Route vs NAT- Thor (Hammer of God)
• » [isalist] Re: DMZ Route vs NAT- Jerry Young

1. Home
2. isalist
3. Archive
4. 12-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---