Re: PIX network config advice

From: Jon Fanti <me@xxxxxxxxxxx>
Date: Sat, 11 Feb 2006 00:11:44 +0000

fargle@xxxxxxxxx wrote:

It's really up to you - but quite a few people believe that using
non-routable addresses on the DMZ can increase security by making it
harder for some exploits to work, as they don't know what addresses the
servers are really at once the code hits the box.

Given that the PIX, by default, wants to NAT between interfaces and you
have to explicitly tell it not to, I've always used non-routables on
the DMZ, and it works well. Personally, I would recommend it. But if
there's going to be a large amount of effort associated with re-IPing
the DMZ servers, it may not be worth the effort.

Thanks for the advice, like I mentioned all my servers are configured from a DHCP entry, so it's simply just assigning the new non-routables from there and then adding the map to the public IP on the PIX. I'll certainly test it in my lab, I think I'll go with it - any extra security is a good thing :D

Jon.
.

References:
- PIX network config advice
  - From: Jon Fanti
- Re: PIX network config advice
  - From: fargle

Prev by Date: Re: Reason 412: The remote peer is no longer responding.
Next by Date: Re: PIX 515 and Aironet 1100 Integration
Previous by thread: Re: PIX network config advice
Next by thread: VPN 3030, PPTP and SEP vs SEP-E
Index(es):
- Date
- Thread

Relevant Pages

Re: DMZ NT4 TO Internal 2000 AD One-Way Trust via Firewall
... leverage an effectivity security policy to ensure that password complexities ... > currently a mess of local and domain users, no security policy, etc. ... DMZ, not publicly accessible) that aren't going away within the stated ... to non-DC web servers in the DMZ on 80 and 443 - none of which are directed ...
(microsoft.public.windows.server.active_directory)
Re: DMZ - Question
... Many times you will go as far as to have a web facing DMZ ... security requirements these systems will likely be on their own VLAN at ... architecture to prevent any web facing servers connecting into the ... Mainframe on the LAN, and a Mail server that need access to another ...
(Security-Basics)
Re: Deploying a DMZ Internationally
... Subject: Deploying a DMZ Internationally ... that there is almost always a lack of corporate security policies in place ... In addition to VLANS you should work on defining security domain boundaries. ... > involved with moving servers to these DMZs and the warfare that will ...
(Security-Basics)
Re: Joining Servers to a Domain
... You can certanly stop policies and scripts from running on specific servers, so that really shouldn't be the determining factor. ... I would be asking questions as to what security benefits they would expect to see, though there are certanly some security and management benefits. ... Usually people will have a seperate forest for the DMZ and use either a trust or federated services to provide access to an internal resource. ...
(microsoft.public.windows.server.active_directory)
Re: PIX network config advice
... servers are really at once the code hits the box. ... have to explicitly tell it not to, I've always used non-routables on ... the DMZ, and it works well. ... under the old setup all servers are configured with a public ...
(comp.dcom.sys.cisco)