Educause Security Discussion mailing list archives

Re: Large edu's doing NAT campus wide?

From: Chris Allison <allisoc () MUOHIO EDU>
Date: Sun, 29 Apr 2007 15:05:29 -0400

        All,
        I would be interested in hearing other peoples ideas concerning
using a campus wide NAT to provide additional protection.
At MU we are looking at adding NAT.  The idea would be that the
internal address space would not be reachable from outside unless
you used VPN or talked to the security guys about setting up a static
IP and associated NAT map.
        As you might imagine, a number of academic types don't like the
idea.  For the most part, they have not created a convincing
argument against.  My experience is they don't really come after you
until after you pull the switch.
        With all the devices coming onto campus, one does not have to look
far to see we will have addressing problems soon.  In
fact we are already having point issues and the occurrences are
becoming more frequent.
        We don't yet have experience with campus wide NAT, so I would very
much like to know about others and;
Joe,
        Could you send me any responses you received?
        Thanks,
        Chris Allison, PMP
        Miami University


On Apr 28, 2007, at 9:40 PM, Randy Marchany wrote:

Doing NAT campus-wide?

You need to ask yourself the following questions:

1. What is the purpose of using NAT?
        a. To hide IP addresses?
                -Wireless makes it easy to determine the address
        b. To address running out of IP address space?
                - could be a good solution
        c. Protect your systems?
                - Does NAT really add to protecting a host? Personal FW +
                  border controls seem to be enough. Again, wireless
                  forces you to consider its impact on this strategy.

Using NAT for security purposes doesn't really add anything to your
defense
posture IMHO. Wireless is the weakness. However, using it for
extending IP
address space might be better but there are probably better
solutions around.

Just my .02.

        -Randy Marchany
        VA Tech IT Security Office/Lab

Current thread:

Large edu's doing NAT campus wide? Joe St Sauver (Apr 28)
- <Possible follow-ups>
- Re: Large edu's doing NAT campus wide? Scott O. Bradner (Apr 28)
- Re: Large edu's doing NAT campus wide? Randy Marchany (Apr 28)
- Re: Large edu's doing NAT campus wide? Randall C Grimshaw (Apr 29)
- Re: Large edu's doing NAT campus wide? Jeff Murphy (Apr 29)
- Re: Large edu's doing NAT campus wide? Joe St Sauver (Apr 29)
- Re: Large edu's doing NAT campus wide? Chris Allison (Apr 29)
- Re: Large edu's doing NAT campus wide? Kenneth Arnold (Apr 29)
- Re: Large edu's doing NAT campus wide? Russell Fulton (Apr 29)
- Re: Large edu's doing NAT campus wide? Cal Frye (Apr 29)
- Re: Large edu's doing NAT campus wide? Jeff Kell (Apr 29)
- Large edu's doing NAT campus wide? Marcos Vieyra (Apr 30)
- Re: Large edu's doing NAT campus wide? Clifford Collins (Apr 30)
- Re: Large edu's doing NAT campus wide? Justin Azoff (Apr 30)
- Re: Large edu's doing NAT campus wide? Roger Safian (Apr 30)
- Re: Large edu's doing NAT campus wide? Brian Paige (Apr 30)
- Re: Large edu's doing NAT campus wide? John Ladwig (Apr 30)

(Thread continues...)