[Gllug] Basic Firewall Policy

Mark Preston mark at markpreston.co.uk
Sat Feb 14 14:48:54 UTC 2004 

Wayne Clancy wrote

>What's wrong with NAT and port forwarding  required service's.

>You could always take a look at IPcop firewall/router/VPN 
>(http://www.ipcop.com) and run a gateway on a old machine. IPcop is 
>perfect with 1 IP and a free USB ADSL router 

This might be easier to set up but it might not be as secure. If you are 100% confident in your port forwarding and 
intrusion detection systems then it could be considered secure. With four static IP addresses, as I understand it, you have the ability to route all your 
external traffic to your DMZ, with no possibility that this can be routed to your internal network. I must add that I'm no security expert.

If you go to Plusnet site (my current ISP)

http://www.plus.net/info2/business/bus_broadband_adsloffice500_selfinstall.html

you will see at the bottom of the page a table that gives the differences between Nat and nonat.
This is what it says about nat:
Single  static IP address, for connecting a single PC or Local Area 
                    Network

                    With NAT (Network Address Translation), you are provided with 
                    a single static IP address that your router (or other connection 
                    equipment) will use to connect to the Internet. You can still 
                    connect your private network to the Internet with NAT, by 
                    assigning an IP address to each machine from one of these 
                    ranges:

                    10.0.0.0 -> 10.254.254.254 

                    172.16.0.0 -> 172.31.254.254

                    192.168.0.0 -> 192.168.254.254

                    Since only one globally available address is used, the networked 
                    machines cannot be seen by the outside world, and so NAT products 
                    are not suitable for running servers.

Why would they write the last line?



This is what it says about nonat:
Multiple  static IP addresses, for server hosting or SMTP mail

                    No-NAT products come complete with a range of IP addresses 
                    (a subnet), making them suitable for connecting Local Area 
                    Networks to the Internet. Each address can be seen globally, 
                    making it ideal for running mail servers, etc, on the Internet. 
                    

                    

                    You should be aware, however, that running Web servers that 
                    can expect high levels of traffic is not recommended due to 
                    the asymmetric nature of ADSL (i.e. it is faster downstream 
                    than upstream).
Regards,
Mark Preston


-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list