[unisog] Anyone doing large scale NAT for their campus?

E. Larry Lidz ellidz at eridu.uchicago.edu
Sat Sep 21 03:53:28 GMT 2002


Gerry Sneeringer writes:
>A pair of external security reviews were recently conducted to get an
>outside opinion on the state of security here at Maryland. Both came back
>with a recommendation that we move the entire campus (32,000 active hosts)
>onto non routed addresses and use NAT for access to the rest of the world.

I know that this isn't a helpful suggestion, but when I hear this sort
of thing, my initial thought is: "it's time to get new auditors." 

As many of the other people have pointed out, and as you suspect, this
sort of thing doesn't scale to the size that you're talking about, and
somewhere along the way, it will get in the way of research. 

Your auditors ought to know this. If they're not taking your environment
into consideration when making recommendations, I question if they're
doing their job appropriately. 

-Larry

---
E. Larry Lidz                                        Phone: +1 773 702-2208
Sr. Network Security Officer                         Fax:   +1 773 834-8444
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml



More information about the unisog mailing list