Anyone doing large scale NAT for their campus?

Gerry Sneeringer sneeri at umd.edu
Fri Sep 20 17:25:27 GMT 2002


A pair of external security reviews were recently conducted to get an
outside opinion on the state of security here at Maryland. Both came back
with a recommendation that we move the entire campus (32,000 active hosts)
onto non routed addresses and use NAT for access to the rest of the world.
This has caught my management's attention.

This strikes me as overkill and I worry about protocols currently in use
or under development would be kneecapped by such a move.  For the ones
that come immediately to mind such as multicast, our Cisco consultant has
smiled and said that his gear could handle it.  Of course I worry about
the next big thing that takes off in higher education prior to larger
markets that his box won't handle for the first year.

There's also the small issue of getting buy-in from our researchers and
professors.

While NAT'ing is fairly commonplace in the home and commerical realms, I
am not aware of a large research institution that has taken the plunge.
Does anyone know of a school that has done this and any lessons (positive
or negative) that we can learn from them before we make a decision on
pursuing this option?


Thanks!
-Gerry

---
Gerry Sneeringer
I.T. Security Officer
University of Maryland
Office of Information Technology
+1 301 405 2996



More information about the unisog mailing list