Re: [fw-wiz] Stats on how common NAT is?

From: Paul D. Robertson (proberts@patriot.net)
Date: 12/15/02


From: "Paul D. Robertson" <proberts@patriot.net>
To: Michael Still <mikal@stillhq.com>
Date: Sun Dec 15 09:13:01 2002

On Sun, 15 Dec 2002, Michael Still wrote:

> Hello.
>
> I work as a software developer, and there has been some discussion at work
> as to how common NAT is in corporate environments (this affects whether we
> use DCOM or not).

It's very pervasive. I can't think of any sites I've been to in the last
year that haven't been using RFC1918 addresses. Of course, it's possible
to use proxies and not NAT the 1918 addresses, but I think everywhere
I've been where that was the plan, some exception has forced NAT into the
equation at some point in the network.

> Does anyone have any pointers on how common NAT in corporate environments
> is? Why are these people using NAT, is it solely the expense of real IPs,
> or is it also for the added security?

These days, IP space is tied to a provider, and address space management
is a pain if you don't have a large address space. Therefore, it makes
sense from an address space management perspective to NAT the traffic.

There really isn't any additional security from a conservatively
configured network with routable public addresses and one with RFC1918
addresses[1].

Anyway, I don't have any good statistics, but my gut is that it's
much better than the 85th percentile these days.

Paul
[1] My previous employer had 2 pre-CIDR Class B address spaces, as well as
a portable /23 and we used legitimate addresses internally, but you still
weren't going to route traffic from the Internet to a device that wasn't
specifically permitted to do so. The provider routing the address space
to the DMZ doesn't obligate the DMZ to route the entire address space
internally, for instance.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation