- Clavister CorePlus 8.x, 9.x
- Clavister cOS Core 10.x
- You can use public IP addresses on the machines on the dmz network even if your ISP has only given you a single public IP network.
- No need to reconfigure your ISP router -- your ISP does not need to get involved.
- You will save a lot of IP addresses that would have been wasted in a subnetting scenario.
- The IP rules decide if certain traffic should be allowed, there are no security issues.
- Proxy ARP is easier to use than manual ARP publishing of individual IP addresses.
- There is no need to use SAT/Allow combinations for incoming connections, or SAT/NAT combinations for connections from the internal network, or using NAT for outgoing traffic your servers. You only need Allow rules in each direction.
- In summary: your configuration becomes much more manageable.
- Host & Networks in this scenario
- Routing table
Also note how the Security Gateway uses the same IP address on the "ext", "dmz" and "dmz2" interfaces. This works perfectly with Clavister Security Gateway.
In the routes section, we simply point out which way the Security Gateway should go to get to addresses in our split-up network.
To get to the default gateway, "gw-world", we go through the "ext" interface.
To get to our DNS servers, we go through the "dmz2" interface.
To get to the rest of the 192.0.2.0/24 network, we go through the "dmz" interface.
We then enable full proxy arp on all these routes. This means that:
- The default gateway (gw-world) can ARP resolve all 192.0.2.0/24 addresses
- All hosts on dmz and dmz2 can use 192.0.2.1 (gw-world) as gateway
- All hosts on dmz and dmz2 can resolve eachother (though, of course, the Security Gateway ruleset still controls how they can communicate)
For those that have a deeper understanding of ARP: don't worry, even though we've told the Security Gateway to publish the address on "ALL" interfaces, it will in fact never publish the address on the interface where the host actually lives, as that would introduce address conflicts.
This rulesheet shows only the rules regarding the DMZ interfaces. It is just an example to show how simple your rules can be when using Proxy ARP and public IP adresses instead of SAT and NAT. You'll probably need some rules to let the internal network administer the DMZ hosts.
This ruleset concentrates on what is really important: your security policy, without having to worry about address translation details.