Slightly OT: How common is NAT?

Anthony David adavid at adavid.com.au
Mon Dec 16 10:51:46 EST 2002


Alex Satrapa <grail at goldweb.com.au> writes:

> Anthony David wrote:
> 
> >One Govt Agency got a B class allocated (they have about 400-600 IPs in
> >use). They use it for both LAN and Internet addressing and use Firewalling
> >to manage Internet traffic. Messy.
> >
> And then stated:
> 
> >IMHO, NAT is something you do as a last resort. Trouble-shooting
> >is especially exciting when one side refers to an IP and the other side
> >has a different number.
> >
> So if one option is to use real IPs, and that's messy, and the last
> resort is to use NAT (which guarantees that your private network
> addresses are unroutable, and therefore to some extent "secure" from
> messups), what's inbetween?

Don't let your users connect directly to the Internet. There is
no real need unless they want to use chat clients etc. I have
never seen a credible business case for them. All the users' Internet
needs are met by using applicaton proxies and mail servers.

> 
> Protocols that tell the other end what the IP is supposed to be are -
> in my mind at least - somewhat broken. The other end should be able to
> detect the source IP address, since that's included as part of the
> protocol. If you're trying to prevent man-in-the-middle attacks, use
> IPSec to certify that the connection came from someone you trust.
> 
> NAT is a great way to give your tens, hundreds or thousands of desktop
> machines access to the Internet without having to allocate each of
> them a real IP address. Using NAT and private addresses means that
> your Windows machines are no longer vulnerable to network level
> attacks from outside your network.
> 
> 


-- 
Anthony David

Gambling(n): A discretionary tax on those asleep during high school maths
http://adavid.com.au/
0xA72CE1ED fingerprint = EA1E C69E FE59 BBE1 AA4B  F354 BD09 9765 A72C E1ED



More information about the linux mailing list