[WEB4LIB] Re: Fire walls and multiple IP addresses - can
they
Eric Holt
eholt at cals.lib.ar.us
Fri Jan 18 15:43:40 EST 2002
I'm sorry if my explaination was confusing, but my point was that
firewalling and address translation are two completely different
functions. While a firewall product may include NAT or a proxy server, no
true firewall requires that any kind of address translation be done. A
firewall is a packet filter, and it can filter packets between any number
of IP addresses, public or private. Changing the address translation so
that multiple IPs are exposed to the external network has no effect on the
functioning of the firewall and any firewall at all should be able to
support this, although it will require that the firewall rules be changed
to take the new IPs into account.
Eric Holt
Manager, Computer and Network Services
Central Arkansas Library System
100 Rock St., Little Rock AR 72201
(501) 318-3060
At 11:54 AM 1/18/2002 -0800, you wrote:
>Just for clarification, it is entirely possible that NAT is being done by
>the firewall. I know that our firewall does do NAT. NAT is not
>done through a separate proxy server or router. Our firewall also has the
>ability to allow access for individual public IP addresses and can
>translate those into private addresses for internal use. We are doing this
>for the security reasons that Eric describes.
>
>The short answer for Gary is that some firewall products can support
>multiple public IP addresses. It sounds like Gary needs to push on his
>tech people, if possible, to explain why they can't provide that access.
>
>Andrew Mutch
>Library Systems Technician
>Waterford Township Public Library
>Waterford, MI
>
>
>
>
>On Fri, 18 Jan 2002, Eric Holt wrote:
>
> >
> > The short answer is yes, you can use individual public IP addresses for
> > each of your machines through a firewall. The reason for this is that
> it's
> > not really the firewall that is making all of your computers look like
> they
> > are coming from one IP address.
> >
> > Apparently your organization is running through a proxy server or a router
> > with NAT address translation, and that's what is making all of the
> > computers share an IP address--this has nothing to do with the firewall
> > itself. There is no reason why you have to share an IP address like that
> > in order for the firewall to work correctly, but many organizations do
> this
> > so that they can keep their internal machines on private IP addresses
> as an
> > additional security measure.
> >
> > Even so, it's possible to go through a proxy server/ NAT and have your
> > department appear to be coming from one IP address and the rest of the FDA
> > from another. There is no techinical reason that it can't be done, you
> > just have to convince someone to re-configure things that way.
> >
> > Good luck!
> >
> > Eric Holt
> > Manager, Computer and Network Services
> > Central Arkansas Library System
> > 100 Rock St.
> > Little Rock, AR 72201
> > (501) 918-3060
> >
> > At 10:51 AM 1/18/2002 -0800, you wrote:
> > >For several years now, we have been trying to work our way out of a
> problem.
> > >Most of the vendors want to sell us services and subscriptions that limit
> > >access to our FDA Center by IP address. However, since all of FDA has the
> > >same IP address as a result of its fire wall configuration, we have
> problems
> > >with individual vendors. Some will go along with it and others want us to
> > >pay for all of FDA. Since we are the only center to use some engineering
> > >and science sources, this is difficult to sell to our superiors.
> > >
> > >However the point of this question is to get up to date on fire wall
> > >technology. I was told the year before last that our technology (I
> think it
> > >is called Raptor) would be able to deliver more than one IP address to an
> > >organization. Since then, with some looking on my part, I have not
> seen if
> > >this is possible or not. Nobody in FDA had mentioned this and those
> who run
> > >our fire wall are not convinced that it would be of value to have more
> than
> > >one IP address. Not so far as I know, at my position many levels below.
> > >
> > >Is it a reasonable and "easy" process to have a fire wall now which can
> > >allow individual areas to have individual IP addresses?
> > >
> > >Or is there another solution to this problem?
> > >
> > >We have tried passwords, but that is another tale of pain and woe.
> > >
> > >I understand that some libraries don't even worry about it, but we want to
> > >stay honest.
> > >
> > >Thanks,
> > >
> > >Gary Masters
> > >
> > >
> > >
> > >Gary E. Masters
> > >Librarian (Systems)
> > >CDRH - FDA
> > >(301) 827-6893
> >
> >
> > Eric Holt
> > Manager, Computer and Network Services
> > Central Arkansas Library System
> > 100 Rock St., Little Rock AR 72201
> > (501) 318-3060
> >
Eric Holt
Manager, Computer and Network Services
Central Arkansas Library System
100 Rock St., Little Rock AR 72201
(501) 318-3060
More information about the Web4lib
mailing list