Educause Security Discussion mailing list archives
Large edu's doing NAT campus wide?
From: Marcos Vieyra <Mvieyra () GWM SC EDU>
Date: Mon, 30 Apr 2007 09:20:37 -0400
Joe, I have often thought of presenting at the Security EDUCAUSE conference on this exact topic, but can't seem to find the time to actually create a presentation. We use NAT extensively on our campus, and it is a *very* mixed bag. Specifically, we are using it in our residence halls, our wireless networks, and in other locations throughout our campus. From my perspective, it creates some really big problems. The biggest problem for me is the colossal chore it then becomes to *try* and locate machines on the network when they are reported to us by external agencies. A great example of such reports would be DMCA complaints. To be fair, there are ways one could use NAT on a campus and *not* have these problems. It would require careful planning, extensive logging and retention of those logs for a fixed period of time, and the infrastructure to support that level of logging. On a campus of our size, these logs grow really fast, and the device(s) handling the translation need to be very strong.
From a security perspective, I agree with Randy. I am not convinced
that NAT adds any meaningful measure of security. We already have border firewalls, so anything that isn't explicitly allowed through will not directly reach our hosts (NAT'd or not). Once one of your externally facing hosts is compromised, the attacker typically gains access to the inside of your network, where you likely route RFC 1918 address space. NAT buys you obscurity, not security. So why do we use NAT? I'm not entirely sure, but it was more than likely an IP address saving/recovery scheme. I think someone decided that it was easier to use NAT than to try and recover wasted address space in our class B.
Hi, Is anyone aware of a study of large edu's who are doing NAT campus wide? I know the universal answer machine (aka Google) probably knows, but my Google-foo is failing me on this one. Assuming the problem is actually that no one has done a study of this so far, I'd also be delighted to hear about any noteworthy individual campus examples which folks may happen to know about. Thanks, Joe St Sauver (joe () oregon uoregon edu) http://www.uoregon.edu/~joe/
-- Marcos Vieyra Information Security Manager University of South Carolina 803.777.4685 marcos () sc edu
Current thread:
- Re: Large edu's doing NAT campus wide?, (continued)
- Re: Large edu's doing NAT campus wide? Scott O. Bradner (Apr 28)
- Re: Large edu's doing NAT campus wide? Randy Marchany (Apr 28)
- Re: Large edu's doing NAT campus wide? Randall C Grimshaw (Apr 29)
- Re: Large edu's doing NAT campus wide? Jeff Murphy (Apr 29)
- Re: Large edu's doing NAT campus wide? Joe St Sauver (Apr 29)
- Re: Large edu's doing NAT campus wide? Chris Allison (Apr 29)
- Re: Large edu's doing NAT campus wide? Kenneth Arnold (Apr 29)
- Re: Large edu's doing NAT campus wide? Russell Fulton (Apr 29)
- Re: Large edu's doing NAT campus wide? Cal Frye (Apr 29)
- Re: Large edu's doing NAT campus wide? Jeff Kell (Apr 29)
- Large edu's doing NAT campus wide? Marcos Vieyra (Apr 30)
- Re: Large edu's doing NAT campus wide? Clifford Collins (Apr 30)
- Re: Large edu's doing NAT campus wide? Justin Azoff (Apr 30)
- Re: Large edu's doing NAT campus wide? Roger Safian (Apr 30)
- Re: Large edu's doing NAT campus wide? Brian Paige (Apr 30)
- Re: Large edu's doing NAT campus wide? John Ladwig (Apr 30)
- Re: Large edu's doing NAT campus wide? John Ladwig (Apr 30)
- Re: Large edu's doing NAT campus wide? Kevin Shalla (May 02)
- Re: Large edu's doing NAT campus wide? David A Lundy (May 02)
- Re: Large edu's doing NAT campus wide? John Ladwig (May 02)