nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NOC servers with public/private ip address

From: Valdis.Kletnieks () vt edu
Date: Wed, 15 Aug 2001 11:18:22 -0400
On Wed, 15 Aug 2001 11:07:21 EDT, you said:

Using a NAT in a NOC situation makes audit trails harder to maintain,
as all administrative connections to your network devices will appear
to come from (one of) the address(es) of the NAT device.


Right.  That too - that's why I advised against it.  Choices I see
as reasonable:

1) A totally isolated management net in 1918 space.
2) A totally isolated management net in your space.
3) A firewalled management net in your space.
4) A management net in 1918 space, and a bastion host that lives in the
1918 space and your space to get stuff in/out with (no direct connections
available - copy stuff to the bastion from one side, then copy out from
the other).

Of course, for options (3) and (4) you need to have a very clear
understanding of how you are handling security for the management net.

And for options (1) and (2), you need to be careful that it *does*
stay isolated - all it takes is one router that's forwarding packets
for it to change into (3) or (4). ;)

-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: