[unisog] Anyone doing large scale NAT for their campus?

Scott Genung sagenung at ilstu.edu
Mon Sep 23 13:38:12 GMT 2002


I would have to concur with many of the comments here in saying that NAT 
isn't a security model by itself. A true security model is composed of many 
elements of which NAT could be considered.

We implemented NAT to augment our existing public address subnet model - 
not as a an attempt to address security concerns. All that NAT can do (from 
a security perspective) is limit the exposure of a campus-based host from 
off campus depending upon how you use translation expiration timers. NAT 
can also make it challenging for students to build servers in environments 
where you don't want to see that type of traffic pattern. But, it will not 
solve your campus security problems. If you're not logging properly, it may 
only make them worse.

If you're looking at NAT from purely a security angle, I'm not sure that 
it's a defendable approach. However, if your goal is to augment address 
space and have greater control of where network services live, NAT is a 
good solution. It sounds like it may be time to shop for some new external 
auditors.


Scott Genung
Manager of Networking Systems
Telecommunications and Network Support Services
124 Julian Hall
Illinois State University

(309)438-8731   http://www.tnss.ilstu.edu



More information about the unisog mailing list