Educause Security Discussion mailing list archives
Re: Large edu's doing NAT campus wide?
From: Brian Paige <paige () OAKLAND EDU>
Date: Mon, 30 Apr 2007 10:42:54 -0400
Joe, We're a moderately large university (Approx. 17,000) and have been using campus-wide NAT for a number of years. The initial driver for this was to accommodate a multi-year address restructuring program -- we had to subnet our flat /16 address space and needed an intermediate addressing scheme in order to do so. Internal private addresses were assigned using DCHP, and then DHCP addresses are allocated NAT addresses from pre-defined NAT pools in their appropriate public address ranges. This has worked very well for us, and, although some address may move back to public IP space, there is no rush to do so (the relationship between our inside DHCP and NAT makes this very easy in both directions). I would assert that besides this, NAT has two additional advantages for us. First, as discussed in earlier posts, since our NAT addresses are only nailed up for a short period of time (variable depending on the pool) we have found it has some secondary security advantages ... did someone refer to it as a "security bump" in a previous post. I don't think NAT should be considered exclusively for security purposes, but if you have a need to use NAT, this is a margin benefit. Second, I would agree with several of the folks who posted concerning address portability ... in the event that external addresses change, a network that utilizes NAT in its architecture may be less impacted. Someone mentioned NAT+VPN and we're doing some of that here. Systems with non-NAT'd private address space are reachable only via VPN access. I agree with the upsides and downsides discussed in all the previous responses: it does require careful planning, good logging, isn't a be-all-end-all to security, is best utilized where there are addressing issues, and can "break" some services, but we have been able to accommodate all of these issues here at Oakland and found NAT to be quite useful. Long story short ... we're not a formal case study, but a pragmatically, it works here. We're fortunate that we can do 1:1 NAT. Makes the identification portion easier than PAT or NAT overload. Good luck on your presentation. Regards, Brian Paige Lead Network Engineer Oakland University Joe St Sauver wrote:
Hi, Is anyone aware of a study of large edu's who are doing NAT campus wide? I know the universal answer machine (aka Google) probably knows, but my Google-foo is failing me on this one. Assuming the problem is actually that no one has done a study of this so far, I'd also be delighted to hear about any noteworthy individual campus examples which folks may happen to know about. Thanks, Joe St Sauver (joe () oregon uoregon edu) http://www.uoregon.edu/~joe/
Current thread:
- Re: Large edu's doing NAT campus wide?, (continued)
- Re: Large edu's doing NAT campus wide? Joe St Sauver (Apr 29)
- Re: Large edu's doing NAT campus wide? Chris Allison (Apr 29)
- Re: Large edu's doing NAT campus wide? Kenneth Arnold (Apr 29)
- Re: Large edu's doing NAT campus wide? Russell Fulton (Apr 29)
- Re: Large edu's doing NAT campus wide? Cal Frye (Apr 29)
- Re: Large edu's doing NAT campus wide? Jeff Kell (Apr 29)
- Large edu's doing NAT campus wide? Marcos Vieyra (Apr 30)
- Re: Large edu's doing NAT campus wide? Clifford Collins (Apr 30)
- Re: Large edu's doing NAT campus wide? Justin Azoff (Apr 30)
- Re: Large edu's doing NAT campus wide? Roger Safian (Apr 30)
- Re: Large edu's doing NAT campus wide? Brian Paige (Apr 30)
- Re: Large edu's doing NAT campus wide? John Ladwig (Apr 30)
- Re: Large edu's doing NAT campus wide? John Ladwig (Apr 30)
- Re: Large edu's doing NAT campus wide? Kevin Shalla (May 02)
- Re: Large edu's doing NAT campus wide? David A Lundy (May 02)
- Re: Large edu's doing NAT campus wide? John Ladwig (May 02)