[112640] in North American Network Operators' Group
Re: Dynamic IP log retention = 0?
daemon@ATHENA.MIT.EDU (Mike Lewinski)
Wed Mar 11 17:54:26 2009
Date: Wed, 11 Mar 2009 15:54:14 -0600
From: Mike Lewinski <mike@rockynet.com>
To: Joe Greco <jgreco@ns.sol.net>
In-Reply-To: <200903112132.n2BLWHBv006094@aurora.sol.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Joe Greco wrote:
>> A quick scan of the reverse mapping for your address space in DNS reveals
>> that you have basically your entire network on public addresses. No wonder
>> you're worried about portscans when the printer down the hall and the
>> receptionists machine are sitting on public addresses. I think you are
>> trying to secure your network from the wrong end here.
>
> Your idea of "security" is strange and unrealistic.
>
> Putting all of your network behind NAT is not a guarantee of security.
Amen. Our NOCS workstations all use public IP addresses that are routed
through a firewall. The firewall applies appropriate policies that would
be functionally no different from applying the same policies to NAT'd
hosts. In our environment, we'd gain absolutely nothing from a security
perspective by enabling NAT.
But it does help ensure that poorly designed applications don't require
proxies to support them through NAT (SIP, FTP etc). And we'll never have
problems with a partner VPN conflicting with our internal IP space.
Mike
