Firewall Wizards mailing list archives
Re: Nat Limitations?
From: Dave Piscitello <dave () corecom com>
Date: Tue, 09 Oct 2007 13:39:38 -0400
Patrick's topology is very practical.Also, you might consider using authenticating users through a proxy (or firewall) for allowed services. Depending on the proxy you use, this gives you additional granularity in policy definition, logging, and perhaps even bandwidth management.
Darden, Patrick S. wrote:
From what you have said, I am guessing you want to do this:res hall 1 res hall 2 res hall 3.... | | | \ | / huge central fwsm | | internetI am guessing you want to segment each res hall off using a single inclusive VLAN, then NAT it in a central switch or router. I think you should reconsider. Instead of NATing centrally, why not NAT on the edge? You can use multiple VLANs, one per res hall, and multiple NAT's.End result--further segmentation for better security, reduced load on your central switch or router (save the CPU for BGP and/or ACLs--and raw speed!) Individual concerns: 1. concurrent translations limitation. Not a problem with the above. 2. I weep for the RIAA. You don't have to help them. You just haveto act in accordance with applicable laws. If they give you one of their John Doe warrants with a single IP address that they claim corresponds to one person, you can tell them to be more specific dueto NAT. The burden lies on them. 3. The above topography would work better for rate limiting. Less people would be affected by one or two bandwidth hawgs. 4. Certain applications might well break. NAT tends to break UDP apps more than TCP. It also tends to interfere with servers. Your students will not be able to run servers as easily, except inside the residence halls. You might want to do this to one residence hall first to test it.There is no substitute for real-world testing--who knows what bizarre effects might occur.One problem you might not have considered is the move to IPv6. You should NOT invest this much time and effort into such a huge NAT infrastructure if you plan to move to IPv6 in the next 4 years. --p -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of jason () tacorp com Sent: Tuesday, October 09, 2007 9:03 AM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] Nat Limitations? Hello,I'm interested in hearing some thoughts on a topology I'm considering in pursuing. On a mid sized college campus, we have the funding to physically segment the residence halls from the rest of the campus network. This is a huge win from a security perspective among other things. We've also begun using a separate provider for bandwidth. A long-term goal would be to hand the management of these buildings off to a company who can maintain it to reduce our headaches.So, in building it we want to make it as portable as possible. As such, NAT comes to mind so we don't have to re-number it if a different provider takes it. It also has a number of other advantages which I'm sure are well known.The problem is that I'm concerned about the number of translations that will happen in these buildings. Currently this part of the network is allocated a /19 and we estimate there are just over 4,000 residents.I see some of the pitfalls being:* The cisco FWSM is limited to 256K concurrent translations. That's only 64 per user. Bit-torrent is likely to slaughter that.* It's harder to handle RIAA complaints since everything comes from a different public address.* Rate limiting (packet shaping) is currently done at the ISP for these buildings. We'll have to move that inside (more $$) or do protocol shaping instead of by IP address.* Certain applications may break, etc. So my question is: Has anyone tried to NAT this many of a certain type of user? and Do the benefits outweight the caveats? Jason Mishka - "I'm like a Subway in a land of McDonalds..." _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Attachment:
dave.vcf
Description:
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Allowing Internet Access to MS Project Server, (continued)
- Re: Allowing Internet Access to MS Project Server Darden, Patrick S. (Oct 03)
- Re: Allowing Internet Access to MS Project Server D Sharp (Oct 03)
- Re: Allowing Internet Access to MS Project Server Darden, Patrick S. (Oct 03)
- Re: Allowing Internet Access to MS Project Server D Sharp (Oct 03)
- Re: Allowing Internet Access to MS Project Server Paul D. Robertson (Oct 03)
- Re: Allowing Internet Access to MS Project Server jdgorin (Oct 03)
- Re: Allowing Internet Access to MS Project Server D Sharp (Oct 03)
- Re: Allowing Internet Access to MS Project Server jdgorin (Oct 04)
- Re: Allowing Internet Access to MS Project Server Darden, Patrick S. (Oct 08)
- Nat Limitations? jason (Oct 09)
- Re: Nat Limitations? Darden, Patrick S. (Oct 09)
- Re: Nat Limitations? Dave Piscitello (Oct 09)
- Re: Nat Limitations? jason (Oct 09)
- Re: Nat Limitations? Dale W. Carder (Oct 09)
- Nat Limitations? jason (Oct 09)
- Re: Allowing Internet Access to MS Project Server Darden, Patrick S. (Oct 03)