A DMZ Question?

[rasindia]

Hi,
Can anybody tell me the technical reasons of using a customized IP range on DMZ instead of using the internet assigned original IP range?

For eg.,
External IP range is on 2xx.xx.xx.xx
DMZ IP range is on 19x.xx.xx.xx

One reason I thought was saving my internet IP range by using a different IP range in DMZ. Can anybody point out a technical/security reason not to use the original assaigned IP range in DMZ?

Thanks

 

[angelo990]

One way to put it:
Would you like your internal domain namespace to be known to the outside world?

 

[rasindia]

Straight answer is 'NO'

But, I don't know what will be the security risk if the original IP is known to the outside world. We have 32 assaigned addresses. What if I use 16 in DMZ and remaining 16 on external and NAT them?

Can you please let me know the risk?

 

[MartinTre]

hi rasindia

i'm interested in this question too.
In my opinion there isn’t a security problem in using public ip addresses in your DMZ. If your systems in the DMZ protected by strong firewall rules and the latest os security patches, they will be sufficient protected for “normal customers”.
If you are using a private ip range and nat instead, in my opinion there would be a bit more protection because a possible intruder has to find out the real ip of the system at first.
It’s easier to attack a system directly by its assigned ip address instead of attacking a “dummy” system before (FW+NAT).

Other suggestion ?

Martin