Re: Large edu's doing NAT campus wide?

[Justin Azoff <JAzoff () UAMAIL ALBANY EDU>]

Clifford Collins wrote:
> Perhaps what I'm about to say should be forked to another discussion.
> Unlike the subject title, we are a small edu doing NAT using the
> large 10.0.0.0 private address block. As a result, I have the joy of
> scanning a large, empty space on a regular basis. This is a royal
> pain in the scanner.

> Am I wasting my time empirically verifying that our routers and
> switches aren't servicing rogue devices in the vastness of 16.7 million
> possible addresses? Should I only be concerned with the few dozen class
> C blocks we have assigned for official use? How do you deal with
> patrolling the alleys of your network?

I do the following:
1. Dump the arp table from the router[s] to get the list of active
addresses.(using netdisco). call this set 'A'
2. Perform a ping sweep over the class B twice a day. call this set 'B'

Set 'A' could be used as the input for step 2, since set 'B' is always a
subset of set 'A'.  Additionally the list obtained by taking 'A-B' are
all the machines on the network running some sort of firewall.

For doing scans, either set 'A' or 'B' can be used for targets.
Machines in set 'B' will usually be scanned faster, while machines in
set 'A-B' will take a longer time, and possibly need a different set of
parameters.  By tuning the timeout and port scan settings for the
machines you suspect are running firewalls you can greatly reduce the
time it takes to run a scan.

--
-- Justin Azoff
-- Network Performance Analyst