[Dshield] Architecture approach

mlinfosec@comcast.net mlinfosec at comcast.net
Thu Aug 11 17:56:33 GMT 2005


Folks, 
I had a quick question regarding public web routing/ip architecture.  Is there any advantage to using private addressing on the outside of the firewall that is protecting you web server.  Someone mentioned that then the firewall cannot be pinged, etc. (You can write rules to stop that).  I like to use public addresses on that segment, in case I need to test things that need a publically routeable address. I was always under the impression you used NATing to *hide* the address of the webserver. What is "best practice"?  I am assuming that your web servers would then need to have public addressing and static routes in the external router to your firewall, which would also have a route to the public IP address (of your web server). 
Which brings me to my next point.  I am planning on using F5 Big IP 1500s to load balance my web traffic.  I want to terminate the SSL sessions on the 1500.  Do they have to have public IPs to work?  I also understand I may need to use 1 cert for each web server behind the F5s.  Can anyone confirm?
Any help is appreciated in advance.
-ml


More information about the list mailing list