[Dshield] Architecture approach

Aaron Lewis aaron at adldatacomm.net
Fri Aug 12 01:56:41 GMT 2005

I'm certainly not top dog on this list, however I will say that the reason
for NATing is to conserve IPv4 space. Contrary to many peoples belief,
NATing doesn't 'hide' anything. In my personal opinion NATing a web server
or any public server for that matter is a waste of time and resources.
Packet filtering in front of a server is obviously useful. NATing also
creates overhead that you DON'T want on a web server.

As far as pinging a firewall just deny ICMP, which is common practice
anyway. You may want to take a peek at
http://www.adldatacomm.net/icmp.html How would a private IP address work on
the outside of the firewall? Where is it going to route to?

As I said I'm certainly not top dog here but that's the way I see it. I'm
not familiar with the Big IP product so I can't comment on that.


> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org]On Behalf Of
> mlinfosec at comcast.net
> Sent: Thursday, August 11, 2005 1:57 PM
> To: General DShield Discussion List
> Subject: [Dshield] Architecture approach
> Folks,
> I had a quick question regarding public web routing/ip
> architecture.  Is there any advantage to using private
> addressing on the outside of the firewall that is protecting
> you web server.  Someone mentioned that then the firewall
> cannot be pinged, etc. (You can write rules to stop that).  I
> like to use public addresses on that segment, in case I need
> to test things that need a publically routeable address. I
> was always under the impression you used NATing to *hide* the
> address of the webserver. What is "best practice"?  I am
> assuming that your web servers would then need to have public
> addressing and static routes in the external router to your
> firewall, which would also have a route to the public IP
> address (of your web server).
> Which brings me to my next point.  I am planning on using F5
> Big IP 1500s to load balance my web traffic.  I want to
> terminate the SSL sessions on the 1500.  Do they have to have
> public IPs to work?  I also understand I may need to use 1
> cert for each web server behind the F5s.  Can anyone confirm?
> Any help is appreciated in advance.
> -ml
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list