[40623] in North American Network Operators' Group
Re: NOC servers with public/private ip address
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Aug 15 11:22:12 2001
Message-Id: <200108151518.f7FFIMb21816@foo-bar-baz.cc.vt.edu>
To: Jeff Gehlbach <jeffg@empire.com>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Wed, 15 Aug 2001 11:07:21 EDT."
<20010815110721.C15067@empire.com>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_1207184058P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Wed, 15 Aug 2001 11:18:22 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_1207184058P
Content-Type: text/plain; charset=us-ascii
On Wed, 15 Aug 2001 11:07:21 EDT, you said:
> Using a NAT in a NOC situation makes audit trails harder to maintain,
> as all administrative connections to your network devices will appear
> to come from (one of) the address(es) of the NAT device.
Right. That too - that's why I advised against it. Choices I see
as reasonable:
1) A totally isolated management net in 1918 space.
2) A totally isolated management net in your space.
3) A firewalled management net in your space.
4) A management net in 1918 space, and a bastion host that lives in the
1918 space and your space to get stuff in/out with (no direct connections
available - copy stuff to the bastion from one side, then copy out from
the other).
Of course, for options (3) and (4) you need to have a very clear
understanding of how you are handling security for the management net.
And for options (1) and (2), you need to be careful that it *does*
stay isolated - all it takes is one router that's forwarding packets
for it to change into (3) or (4). ;)
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
--==_Exmh_1207184058P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Exmh version 2.5 07/09/2001
iQA/AwUBO3qSvnAt5Vm009ewEQJbJwCg/PwCpbOgxplm4iG9TfFoER2r8/gAmQEa
tbKrGuOaacIqcgmXv2DkMP+x
=G2RN
-----END PGP SIGNATURE-----
--==_Exmh_1207184058P--
