[WEB4LIB] Re: Fire walls and multiple IP addresses - can they
Andrew I. Mutch
amutch at waterford.lib.mi.us
Fri Jan 18 14:52:47 EST 2002
Just for clarification, it is entirely possible that NAT is being done by
the firewall. I know that our firewall does do NAT. NAT is not
done through a separate proxy server or router. Our firewall also has the
ability to allow access for individual public IP addresses and can
translate those into private addresses for internal use. We are doing this
for the security reasons that Eric describes.
The short answer for Gary is that some firewall products can support
multiple public IP addresses. It sounds like Gary needs to push on his
tech people, if possible, to explain why they can't provide that access.
Andrew Mutch
Library Systems Technician
Waterford Township Public Library
Waterford, MI
On Fri, 18 Jan 2002, Eric Holt wrote:
>
> The short answer is yes, you can use individual public IP addresses for
> each of your machines through a firewall. The reason for this is that it's
> not really the firewall that is making all of your computers look like they
> are coming from one IP address.
>
> Apparently your organization is running through a proxy server or a router
> with NAT address translation, and that's what is making all of the
> computers share an IP address--this has nothing to do with the firewall
> itself. There is no reason why you have to share an IP address like that
> in order for the firewall to work correctly, but many organizations do this
> so that they can keep their internal machines on private IP addresses as an
> additional security measure.
>
> Even so, it's possible to go through a proxy server/ NAT and have your
> department appear to be coming from one IP address and the rest of the FDA
> from another. There is no techinical reason that it can't be done, you
> just have to convince someone to re-configure things that way.
>
> Good luck!
>
> Eric Holt
> Manager, Computer and Network Services
> Central Arkansas Library System
> 100 Rock St.
> Little Rock, AR 72201
> (501) 918-3060
>
> At 10:51 AM 1/18/2002 -0800, you wrote:
> >For several years now, we have been trying to work our way out of a problem.
> >Most of the vendors want to sell us services and subscriptions that limit
> >access to our FDA Center by IP address. However, since all of FDA has the
> >same IP address as a result of its fire wall configuration, we have problems
> >with individual vendors. Some will go along with it and others want us to
> >pay for all of FDA. Since we are the only center to use some engineering
> >and science sources, this is difficult to sell to our superiors.
> >
> >However the point of this question is to get up to date on fire wall
> >technology. I was told the year before last that our technology (I think it
> >is called Raptor) would be able to deliver more than one IP address to an
> >organization. Since then, with some looking on my part, I have not seen if
> >this is possible or not. Nobody in FDA had mentioned this and those who run
> >our fire wall are not convinced that it would be of value to have more than
> >one IP address. Not so far as I know, at my position many levels below.
> >
> >Is it a reasonable and "easy" process to have a fire wall now which can
> >allow individual areas to have individual IP addresses?
> >
> >Or is there another solution to this problem?
> >
> >We have tried passwords, but that is another tale of pain and woe.
> >
> >I understand that some libraries don't even worry about it, but we want to
> >stay honest.
> >
> >Thanks,
> >
> >Gary Masters
> >
> >
> >
> >Gary E. Masters
> >Librarian (Systems)
> >CDRH - FDA
> >(301) 827-6893
>
>
> Eric Holt
> Manager, Computer and Network Services
> Central Arkansas Library System
> 100 Rock St., Little Rock AR 72201
> (501) 318-3060
>
More information about the Web4lib
mailing list