Re: Large edu's doing NAT campus wide?

[Cal Frye <cjf () CALFRYE COM>]

Chris Allison wrote:
>     All,
>     I would be interested in hearing other peoples ideas concerning
> using a campus wide NAT to provide additional protection.
> At MU we are looking at adding NAT.  The idea would be that the internal
> address space would not be reachable from outside unless
> you used VPN or talked to the security guys about setting up a static IP
> and associated NAT map.
>     As you might imagine, a number of academic types don't like the
> idea.  For the most part, they have not created a convincing
> argument against.  My experience is they don't really come after you
> until after you pull the switch.
>     With all the devices coming onto campus, one does not have to look
> far to see we will have addressing problems soon.  In
> fact we are already having point issues and the occurrences are becoming
> more frequent.

I've resisted any suggestions we do such here, but then again, we have
more public addresses than we need. Still, taking devices that never
should be accessible from off-campus and placing them on a private VLAN
is a good idea and can relieve some of your address congestion.

Conserving scarce address resources is the only reason to adopt NAT, in
my not-so-humble opinion.

The security benefits of NAT can be achieved with a stateful firewall,
and it's then easier to make exceptions for servers and services that
might be within the proposed range of NATed addresses. NAT can break
little things that our folks might rely upon, like the various VoIP
applications, messaging, and such. When too many internal addresses are
mapped to a single external address, even AIM becomes impaired. I have
enough means of breaking my network without introducing NAT as well ;-)
--
Regards,
-- Cal Frye, Network Administrator, Oberlin College

   www.calfrye.com,  www.pitalabs.com

"All our inventions are but improved means to our unimproved end." --
Henry David Thoreau.