Current Position:Home > Best practices for firewall external interface addressing

Best practices for firewall external interface addressing

Update:11-30Source: network consolidation
Advertisement
Hi all,
Can anyone explain what is more secure when addressing the outside interface of a firewall in a network diagram?
1st option:  
                          ISP router:
                               interface 1 (connected to the internet).
                               interface 2 to the firewall with public ip address.
                           Firewall:
                               interface 1 (connected to the router): public ip address
                               interface 2 (connected to internal network): private ip address (RFC1918)
2nd option:
                         ISP router:
                              interface 2 (connected to the internet (ISP)).
                              interface 1 to the firewall with private ip address (RFC1918).
                         Firewall:
                             outside interface 2  (connected to the router): private ip address (RFC1918)
                             inside interface 1 (connected to internal network): private ip address (RFC1918)
Any response is welcome.

The Best Answer

Advertisement
It's not so much what is more secure as where you want to do the NAT and how may public IPs you have.
So if you only has a small block of public IPs and you wanted to use them for NAT on the firewall then you could use a private link between the ISP router and the firewall.
Usually though an ISP gives you two blocks, a /30 for the point to point link and then a larger subnet for actual use on the firewall.
For a single ISP setup doing the NAT on the firewall is usually the way it is done especially if you are using VPNs as if you NAT on the router it can interfere with the VPN.
If you end up with multiple ISPs then you may need to move some or all of the NAT configuration to the routers although it is not always necessary and you may still do it on the firewall. It depends on a lot of other things such as IP addressing, ISP advertisement of public IPs etc.
Jon