Firewall Wizards mailing list archives

Re: Nat Limitations?

From: "Darden, Patrick S." <darden () armc org>
Date: Tue, 9 Oct 2007 10:03:28 -0400

From what you have said, I am guessing you want to do this:


res hall 1      res hall 2      res hall 3....
        |               |               |
         \              |            /
                huge central fwsm
                        |
                        |
                   internet

I am guessing you want to segment each res hall off using a single 
inclusive VLAN, then NAT it in a central switch or router.  I think 
you should reconsider.  Instead of NATing centrally, why not NAT on 
the edge?  You can use multiple VLANs, one per res hall, and multiple 
NAT's.

End result--further segmentation for better security, reduced load
on your central switch or router (save the CPU for BGP and/or
ACLs--and raw speed!)

Individual concerns:

1.  concurrent translations limitation.  Not a problem with the above.
2.  I weep for the RIAA.  You don't have to help them.  You just have
to act in accordance with applicable laws.  If they give you one of 
their John Doe warrants with a single IP address that they claim 
corresponds to one person, you can tell them to be more specific due
to NAT.  The burden lies on them.
3.  The above topography would work better for rate limiting.  Less
people would be affected by one or two bandwidth hawgs.
4.  Certain applications might well break.  NAT tends to break UDP
apps more than TCP.  It also tends to interfere with servers.  Your
students will not be able to run servers as easily, except inside
the residence halls.

You might want to do this to one residence hall first to test it.
There is no substitute for real-world testing--who knows what 
bizarre effects might occur.

One problem you might not have considered is the move to IPv6.  You
should NOT invest this much time and effort into such a huge
NAT infrastructure if you plan to move to IPv6 in the next 4 years.

--p


-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of
jason () tacorp com
Sent: Tuesday, October 09, 2007 9:03 AM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Nat Limitations?


Hello,

I'm interested in hearing some thoughts on a topology I'm considering in 
pursuing.  On a mid sized college campus, we have the funding to 
physically segment the residence halls from the rest of the campus 
network.  This is a huge win from a security perspective among other 
things.  We've also begun using a separate provider for bandwidth.  A 
long-term goal would be to hand the management of these buildings off to a 
company who can maintain it to reduce our headaches.

So, in building it we want to make it as portable as possible.  As such, 
NAT comes to mind so we don't have to re-number it if a different provider 
takes it.  It also has a number of other advantages which I'm sure are 
well known.

The problem is that I'm concerned about the number of translations that 
will happen in these buildings.  Currently this part of the network is 
allocated a /19 and we estimate there are just over 4,000 residents.

I see some of the pitfalls being:

* The cisco FWSM is limited to 256K concurrent translations.  That's only 
64 per user.  Bit-torrent is likely to slaughter that.

* It's harder to handle RIAA complaints since everything comes from a 
different public address.

* Rate limiting (packet shaping) is currently done at the ISP for these 
buildings.  We'll have to move that inside (more $$) or do protocol 
shaping instead of by IP address.

* Certain applications may break, etc.

So my question is:

Has anyone tried to NAT this many of a certain type of user?

and

Do the benefits outweight the caveats?



Jason Mishka - "I'm like a Subway in a land of McDonalds..."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Allowing Internet Access to MS Project Server D Sharp (Oct 03)
- Re: Allowing Internet Access to MS Project Server Darden, Patrick S. (Oct 03)
  - Re: Allowing Internet Access to MS Project Server D Sharp (Oct 03)
    - Re: Allowing Internet Access to MS Project Server Darden, Patrick S. (Oct 03)
- Re: Allowing Internet Access to MS Project Server Paul D. Robertson (Oct 03)
- <Possible follow-ups>
- Re: Allowing Internet Access to MS Project Server jdgorin (Oct 03)
  - Re: Allowing Internet Access to MS Project Server D Sharp (Oct 03)
- Re: Allowing Internet Access to MS Project Server jdgorin (Oct 04)
- Re: Allowing Internet Access to MS Project Server Darden, Patrick S. (Oct 08)
  - Nat Limitations? jason (Oct 09)
    - Re: Nat Limitations? Darden, Patrick S. (Oct 09)
    - Re: Nat Limitations? Dave Piscitello (Oct 09)
    - Re: Nat Limitations? jason (Oct 09)
    - Re: Nat Limitations? Dale W. Carder (Oct 09)