[63858] in North American Network Operators' Group
Re: Block all servers?
daemon@ATHENA.MIT.EDU (Petri Helenius)
Sat Oct 11 13:09:30 2003
Date: Sat, 11 Oct 2003 20:08:54 +0300
From: Petri Helenius <pete@he.iki.fi>
To: Adam Selene <nospam@vguild.com>
Cc: nanog@merit.edu
In-Reply-To: <006c01c39019$971788f0$66160b0a@dellcpx>
Errors-To: owner-nanog-outgoing@merit.edu
Adam Selene wrote:
>>NAT is more expensive to produce, so it should be an optional
>>premium service, and that seems to be more and more the case.
>>
>>
>
>Not necessarily when you consider the cost (in bandwidth,
>network reliability and support staff) imposed by worms and kiddies
>from other networks scanning your IP space for unsecured machines.
>
>
>
NAT boxes are quite unreliable, specially large ones. If you say "put
100000 small ones instead",
that really sounds a support nightmare. And you can filter without
having NAT.
(a long time ago NAT was thought to be a security mechanism, that has
fortunately
mostly died out)
>That's not even to mention the cost imposed by compromised systems.
>Even if NAT only reduces compromised systems by 20%, that's a
>cost savings.
>
>
>
For the price of a large NAT box, you can buy better security mitigation
products
which would allow you to get the wilful spammers, trojaned machines,
etc. which
are not saved by your magic box.
>Given that most edge hardware supports NAT, the additional cost
>is nominal.
>
>
>
My operational experience tells quite a different story.
>Getting IP space allocation is not without cost either.
>
>
>
Thatīs nothing compared to the people complaining about their applications
not working because you want to break their packets.
Pete
