Re: [fw-wiz] Stats on how common NAT is?

From: Paul D. Robertson (proberts@patriot.net)
Date: 12/15/02


From: "Paul D. Robertson" <proberts@patriot.net>
To: Michael Still <mikal@stillhq.com>
Date: Sun Dec 15 09:13:01 2002

On Sun, 15 Dec 2002, Michael Still wrote:

> Hello.
>
> I work as a software developer, and there has been some discussion at work
> as to how common NAT is in corporate environments (this affects whether we
> use DCOM or not).

It's very pervasive. I can't think of any sites I've been to in the last
year that haven't been using RFC1918 addresses. Of course, it's possible
to use proxies and not NAT the 1918 addresses, but I think everywhere
I've been where that was the plan, some exception has forced NAT into the
equation at some point in the network.

> Does anyone have any pointers on how common NAT in corporate environments
> is? Why are these people using NAT, is it solely the expense of real IPs,
> or is it also for the added security?

These days, IP space is tied to a provider, and address space management
is a pain if you don't have a large address space. Therefore, it makes
sense from an address space management perspective to NAT the traffic.

There really isn't any additional security from a conservatively
configured network with routable public addresses and one with RFC1918
addresses[1].

Anyway, I don't have any good statistics, but my gut is that it's
much better than the 85th percentile these days.

Paul
[1] My previous employer had 2 pre-CIDR Class B address spaces, as well as
a portable /23 and we used legitimate addresses internally, but you still
weren't going to route traffic from the Internet to a device that wasn't
specifically permitted to do so. The provider routing the address space
to the DMZ doesn't obligate the DMZ to route the entire address space
internally, for instance.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation



Relevant Pages

  • Re: EBS 2008, TMG and external firewall. Dont want double NAT
    ... This is done because Exchange is bound to the internal interface and leaves the external interface to be *completely* controlled by TMG...a good security guideline by the way. ... If you are disabling NAT then you'll need to change this from a publishing rule to an access rule, but it should still work fine. ... The first is an access rule allows traffic from the internal IP to the external interface and to the messaging server ... One of the default rules is an "internet access for all users" that allows http and https by default. ...
    (microsoft.public.windows.server.sbs)
  • Re: Routing and Remote Access NAT - I need to modify TTL
    ... with two interfaces: PUBLIC (internet) and PRIVATE ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL is ... but the replay that comes back to the NAT ... They relay on the fact that client computers accept packets with TTL=0, ...
    (microsoft.public.windows.server.networking)
  • Re: Routing and Remote Access NAT - I need to modify TTL
    ... with two interfaces: PUBLIC (internet) and PRIVATE ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL is ... but the replay that comes back to the NAT ... They relay on the fact that client computers accept packets with TTL=0, ...
    (microsoft.public.windows.server.networking)
  • Simultaneous NAT overload (internet) and NAT overlapping for IPsec
    ... There is a pure IPsec tunnel between SITE1 and SITE2. ... SITE1 also has an internet connection via ISP1 which is used to ... the NAT overload from SITE1. ... interface on ISP1) its "also" translating the addresses across to ...
    (comp.dcom.sys.cisco)
  • Re: Routing and Remote Access NAT - I need to modify TTL
    ... with two interfaces: PUBLIC (internet) and PRIVATE ... Hosts on the LAN successfully acquire IP addresses from the NAT SERVER ... use it as a gateway, they can access hosts on the PUBLIC interface, TTL ... They relay on the fact that client computers accept packets with TTL=0, ...
    (microsoft.public.windows.server.networking)