[unisog] Anyone doing large scale NAT for their campus?

John Stauffacher stauffacher at chapman.edu
Sat Sep 21 01:17:09 GMT 2002


We've tended to use NAT as a stop gap for over crowding. Because of ARIN
concerns (losing our 1/2 class b), we have to use all of our routed
addresses and tend to use NAT to supplement. Each building has both a
private and a public network...dhcp serves out both....our wireless
network (for security reasons) is nat'd and vlan'd and totally
stonewalled from the rest of the campus. Its not the *ideal* setup, but
it does work. NAT is for the most part just one more tool in our
crib...nothing more, nothing less. It certainly should not be used as a
stop-gap security measure...

-John Stauffacher

++
John Stauffacher
Network Administrator
Chapman University
stauffacher at chapman.edu
714-628-7249

-----Original Message-----
From: Tom Perrine [mailto:tep at SDSC.EDU] 
Sent: Friday, September 20, 2002 3:18 PM
To: vanepp at sfu.ca
Cc: unisog at sans.org
Subject: Re: [unisog] Anyone doing large scale NAT for their campus?

NAT was designed as a way to avoid the exhaustion of IPV4 addresses.

The fact that it "can" (for some values of "can") be used for
"security" (for some small values of "security") is, well, not always
a good idea.

NAT breaks the fundamental end-to-end design of the Internet.  There
are others who take a more religious stance than I do in this area,
but there are things that Just Don't Work with NAT.

NAT breaks some things that you might want, and makes other things
harder.  Kerberos pretty much doesn't like NAT, and that likely
includes the M$ version of K5 which is part of Active Directory, IIRC.

It means that you have to keep lots of logs, forever, just to be able
to figure out which machine was acting as which address/port at which
time.  Even if you don't expect law enforcement to show up, how about
when *you* try to track down the student host that is serving
streaming video (eating all your bandwidth), or mounting that denial
of service attack?

Also, aren't there some real nasties with IPSEC and NAT?  Last I heard
(a year or more ago?) IPSEC and NAT just really didn't like each
other.

I don't know anyone who has tried to NAT an entire 35K host site.  It
does sound like quite the challenge.  I'm glad CISCO is willing to try
it out at *your* site :-) If this is such a good idea, why doesn't
CISCO already do it for all *their* users on their corporate networks?

Personally, and it is just a personal preference, I'd try to do some
"real" security instead of relying solely on NAT.  NAT in combination
with some other stuff, like good configuration management on operating
systems, and a firewall (or 5), and *good* logging is more
complicated, but I suspect more effective and much more featureful for
the users.

I guess this is just my knee-jerk reaction to anyone who says they
have (will sell me!) a silver bullet that will solve all my problems
in any area.  A.I.?  Yup, did that.  "OO-design?", yup.  "One big
firewall?", uh-huh.

Hmm, must be Friday, my soapbox is showing.

-- 
Tom E. Perrine <tep at SDSC.EDU> | San Diego Supercomputer Center 
http://www.sdsc.edu/~tep/     | 



More information about the unisog mailing list