Re: NAT for public IPs

["Randy Grimshaw" <rgrimsha () syr edu>]

I will chime in here with the implementation that we have done.

As a university with high periodic influx of new machines we have
defined 2 additional private networks as helper addresses on our routers
for each production subnet. Private networks are routable on the LAN but
not on the internet. We have additional ACLs in place that fully isolate
the private networks save the desired exceptions such as registration
and software update servers. To avoid OSPF miscalculations each backbone
router uses a different class B network assignment for hosted private
networks - these routes are defined statically.

DHCP assigns clients to one of the 2 private networks for unregistered
and quarantined systems respectively. In the case of windows OS the
registration is performed by software distributed on CD that pre-scans
the machines. As part of the IP management system, router ARP histories
are collected hourly that among other things tells us when someone is
accessing the network improperly. It is not quite in the class of
Bradford software CAT or Northwestern/UB NetPass but we cannot yet
support VLANs to the desktop enterprise wide. This could also be
expanded to wireless if we wanted to.

<><Randy



<><Randall Grimshaw
Room 203 Machinery Hall
Syracuse University
Syracuse, NY   13244
315-443-5779
rgrimsha () syr edu
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards