Re: [fw-wiz] Nat Limitations?



Patrick's topology is very practical.

Also, you might consider using authenticating users through a proxy (or firewall) for allowed services. Depending on the proxy you use, this gives you additional granularity in policy definition, logging, and perhaps even bandwidth management.


Darden, Patrick S. wrote:
From what you have said, I am guessing you want to do this:

res hall 1 res hall 2 res hall 3....
| | |
\ | /
huge central fwsm
|
|
internet

I am guessing you want to segment each res hall off using a single inclusive VLAN, then NAT it in a central switch or router. I think you should reconsider. Instead of NATing centrally, why not NAT on the edge? You can use multiple VLANs, one per res hall, and multiple NAT's.

End result--further segmentation for better security, reduced load
on your central switch or router (save the CPU for BGP and/or
ACLs--and raw speed!)

Individual concerns:

1. concurrent translations limitation. Not a problem with the above.
2. I weep for the RIAA. You don't have to help them. You just have
to act in accordance with applicable laws. If they give you one of their John Doe warrants with a single IP address that they claim corresponds to one person, you can tell them to be more specific due
to NAT. The burden lies on them.
3. The above topography would work better for rate limiting. Less
people would be affected by one or two bandwidth hawgs.
4. Certain applications might well break. NAT tends to break UDP
apps more than TCP. It also tends to interfere with servers. Your
students will not be able to run servers as easily, except inside
the residence halls.

You might want to do this to one residence hall first to test it.
There is no substitute for real-world testing--who knows what bizarre effects might occur.

One problem you might not have considered is the move to IPv6. You
should NOT invest this much time and effort into such a huge
NAT infrastructure if you plan to move to IPv6 in the next 4 years.

--p


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of
jason@xxxxxxxxxx
Sent: Tuesday, October 09, 2007 9:03 AM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Nat Limitations?


Hello,

I'm interested in hearing some thoughts on a topology I'm considering in pursuing. On a mid sized college campus, we have the funding to physically segment the residence halls from the rest of the campus network. This is a huge win from a security perspective among other things. We've also begun using a separate provider for bandwidth. A long-term goal would be to hand the management of these buildings off to a company who can maintain it to reduce our headaches.

So, in building it we want to make it as portable as possible. As such, NAT comes to mind so we don't have to re-number it if a different provider takes it. It also has a number of other advantages which I'm sure are well known.

The problem is that I'm concerned about the number of translations that will happen in these buildings. Currently this part of the network is allocated a /19 and we estimate there are just over 4,000 residents.

I see some of the pitfalls being:

* The cisco FWSM is limited to 256K concurrent translations. That's only 64 per user. Bit-torrent is likely to slaughter that.

* It's harder to handle RIAA complaints since everything comes from a different public address.

* Rate limiting (packet shaping) is currently done at the ISP for these buildings. We'll have to move that inside (more $$) or do protocol shaping instead of by IP address.

* Certain applications may break, etc.

So my question is:

Has anyone tried to NAT this many of a certain type of user?

and

Do the benefits outweight the caveats?



Jason Mishka - "I'm like a Subway in a land of McDonalds..."

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

begin:vcard
fn:David Piscitello
n:Piscitello;David
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926
email;internet:dave@xxxxxxxxxxx
x-mozilla-html:FALSE
url:http://hhi.corecom.com/weblogindex.htm
version:2.1
end:vcard

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: [fw-wiz] Nat Limitations?
    ... I've already considered pushing the NAT closer to the edge. ... then NAT it in a central switch or router. ... physically segment the residence halls from the rest of the campus ... will happen in these buildings. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Nat Limitations?
    ... I am guessing you want to segment each res hall off using a single ... then NAT it in a central switch or router. ... will happen in these buildings. ...
    (Firewall-Wizards)