[unisog] Anyone doing large scale NAT for their campus?

Doug Herrick doug.herrick at tufts.edu
Mon Sep 23 14:05:38 GMT 2002


Greetings,

I've been following the NAT discussions relative to its security use. 
But in terms of the way it apparently undermines the end-to-end model,
does anyone have a point of view about NAT relative to its use to reduce
or eliminate outbound Kazaa or Morpheus traffic?  Right now, with our
gigabit Cogent Internet link, our ResNet is managing to serve music to
the world (probably inadvertently) at more than 10 times the ratio of
inbound downloads.  Not that we are considering going there, but does
anyone use it for this purpose?

Doug Herrick
Associate Director of Data Network Operations
Tufts University  

Scott Genung wrote:
> 
> I would have to concur with many of the comments here in saying that NAT
> isn't a security model by itself. A true security model is composed of many
> elements of which NAT could be considered.
> 
> We implemented NAT to augment our existing public address subnet model -
> not as a an attempt to address security concerns. All that NAT can do (from
> a security perspective) is limit the exposure of a campus-based host from
> off campus depending upon how you use translation expiration timers. NAT
> can also make it challenging for students to build servers in environments
> where you don't want to see that type of traffic pattern. But, it will not
> solve your campus security problems. If you're not logging properly, it may
> only make them worse.
> 
> If you're looking at NAT from purely a security angle, I'm not sure that
> it's a defendable approach. However, if your goal is to augment address
> space and have greater control of where network services live, NAT is a
> good solution. It sounds like it may be time to shop for some new external
> auditors.
> 
> Scott Genung
> Manager of Networking Systems
> Telecommunications and Network Support Services
> 124 Julian Hall
> Illinois State University
> 
> (309)438-8731   http://www.tnss.ilstu.edu



More information about the unisog mailing list