[unisog] Anyone doing large scale NAT for their campus?

Young, Beth A. youngba at more.net
Fri Sep 20 18:34:52 GMT 2002


I can't comment on the viability of a large NAT but whatever solution you look at, make sure there is some kind of logging or accountability.  There is nothing worse than having the FBI or Secret Service show up and you can't track the IP address past the NAT machine.

Beth

>-----Original Message-----
>From: Gerry Sneeringer [mailto:sneeri at umd.edu]
>Sent: Friday, September 20, 2002 12:25 PM
>To: unisog at sans.org
>Subject: [unisog] Anyone doing large scale NAT for their campus?
>
>
>
>A pair of external security reviews were recently conducted to get an
>outside opinion on the state of security here at Maryland. 
>Both came back
>with a recommendation that we move the entire campus (32,000 
>active hosts)
>onto non routed addresses and use NAT for access to the rest 
>of the world.
>This has caught my management's attention.
>
>This strikes me as overkill and I worry about protocols 
>currently in use
>or under development would be kneecapped by such a move.  For the ones
>that come immediately to mind such as multicast, our Cisco 
>consultant has
>smiled and said that his gear could handle it.  Of course I worry about
>the next big thing that takes off in higher education prior to larger
>markets that his box won't handle for the first year.
>
>There's also the small issue of getting buy-in from our researchers and
>professors.
>
>While NAT'ing is fairly commonplace in the home and commerical 
>realms, I
>am not aware of a large research institution that has taken the plunge.
>Does anyone know of a school that has done this and any 
>lessons (positive
>or negative) that we can learn from them before we make a decision on
>pursuing this option?
>
>
>Thanks!
>-Gerry
>
>---
>Gerry Sneeringer
>I.T. Security Officer
>University of Maryland
>Office of Information Technology
>+1 301 405 2996
>
>



More information about the unisog mailing list