[unisog] Anyone doing large scale NAT for their campus?
Peter Van Epp
vanepp at sfu.ca
Fri Sep 20 19:56:01 GMT 2002
> A pair of external security reviews were recently conducted to get an
> outside opinion on the state of security here at Maryland. Both came back
> with a recommendation that we move the entire campus (32,000 active hosts)
> onto non routed addresses and use NAT for access to the rest of the world.
> This has caught my management's attention.
While we are neither NAT nor this large, here are my thoughts:
is your Cisco consultant smiling because (as I recall in the past), Cisco
NAT comes with a per concurrant user charge and he/she is already pricing that
new BMW? :-) (i.e. how much additional cost are you facing to NAT).
That said, the primary problem we see around here is that faculty
and staff sometimes like to have their own web server on the net (most and
the student body are on a campus web server that we run). That implies either
fixed translation (== administrative cost not currently present, more staff
please. The answer to that here is NO!!!) or a bypass network with fixed
addresses (and this improves security how again?) for those users. Then as
you point out there are the odd protocols that neither understand nor like
NAT or proxies. My opinion is that some combination of these are going to
negate any security increase NAT gives you. A serious firewall which restricts
access to hosts does as much (and causes as much opposition from faculty if
you are anything like here :-)). I know NAT is seen as the silver
bullet around here for most any problem, I've just never found anyone that
can tell me how it works as a silver bullet in any way that I believe or
accept (which of course may be a failure on my part ...).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the unisog