Le lun 13/01/2003 à 15:28, Mike a écrit : > Hey guys Im deciding how I want to implement a DMZ for my company can anyone > tell me the pros and cons of my DMZs below? should I got with a routable > hosts in my DMZ and just filter out any port I don't want open or just port > forward over certain ports and use IP alias? The resulting architecture will provide the same result. Forwarding a port to an IP or opening one to it is mainly the same in term of security. What changes between the two architectures, is the fact you do not have to split your public addresses pool when you do NAT. So it can save addresses if you're short, because all used public IPs will be aliased on your firewall and simply NATed to a private addresses DMZ. By the way, your filtering policy must not depend on the architecture you'll choose. NAT does not constitute a security mecanism in you case, so you have to consider it just as a trick, not a security feature. -- Cédric Blancher <blancher@cartel-securite.fr> Consultant en sécurité des systèmes et réseaux - Cartel Sécurité Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
