[unisog] Anyone doing large scale NAT for their campus?

Ben Curran bdc1 at humboldt.edu
Fri Sep 20 18:49:28 GMT 2002


Gerry,

One of the biggest problems we had with our resnet users was the lack of positive id 
(i.e. off campus net abuse type complaints) for NAT users, since Cisco's NAT logging 
solution is to log "debug IP detailed"  to your local syslog. Way too much detail and 
traffic, if even for a few hundred users. I can't imagine 32k! The problem is mulitiplied 
when you use DHCP. May be there are some good logging solutions out there for NAT 
now? 

Ben Curran


On 20 Sep 2002, at 13:25, Gerry Sneeringer wrote:

> 
> A pair of external security reviews were recently conducted to get an
> outside opinion on the state of security here at Maryland. Both came back
> with a recommendation that we move the entire campus (32,000 active hosts)
> onto non routed addresses and use NAT for access to the rest of the world.
> This has caught my management's attention.
> 
> This strikes me as overkill and I worry about protocols currently in use
> or under development would be kneecapped by such a move.  For the ones
> that come immediately to mind such as multicast, our Cisco consultant has
> smiled and said that his gear could handle it.  Of course I worry about
> the next big thing that takes off in higher education prior to larger
> markets that his box won't handle for the first year.
> 
> There's also the small issue of getting buy-in from our researchers and
> professors.
> 
> While NAT'ing is fairly commonplace in the home and commerical realms, I
> am not aware of a large research institution that has taken the plunge.
> Does anyone know of a school that has done this and any lessons (positive
> or negative) that we can learn from them before we make a decision on
> pursuing this option?
> 
> 
> Thanks!
> -Gerry
> 
> ---
> Gerry Sneeringer
> I.T. Security Officer
> University of Maryland
> Office of Information Technology
> +1 301 405 2996
> 


________________________________________________ 
¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤») 
________________________________________________
Network Specialist and General Factotum
Humboldt State University
c/o Telecommunications & Network Services
1 Harpst St. Arcata, CA 95521
Phone: (707)826-5000
FAX: (707)826-6161
Email: bdc1 at humboldt.edu



More information about the unisog mailing list