Steve,
NAT/PAT isn't a security function per se although it does provide some obscurity for internal hosts. The issue here appears to be more of a performance question. We have 6 DS3 circuits feeding into a single Internet access point. Can the router efficently handle NAT connections from all the different locations or would it be better to spread that out among multiple routers?
I lean toward private addressing for all internal connections because you can set up a simple addressing scheme that's easy to follow. The security issue is really one of filtering. BTW - if you run your links numberless you can make the routers at the remote sites completely invisible to the outside NAT interface -- of course that might make it a little difficult for you to service it ;-].
-- Bill Stackpole, CISSP
| Steve Smith <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 08/22/00 02:55 PM
|
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> cc: Subject: When to NAT |
Hey gang need some expert advise
If you have a big WAN, ATM DS3 connecting 6 cities, with a single internet
access point at a NAP where should you impliment your NAT/PAT? Our
"security" manger feels that we should have public IPs running in our DMZ
and our WAN from city to city. Then NAT/PAT into each loction. The other way
would be to have a DMZ at the internet access point, leave them public for
web servers and such, then NAT/PAT through the firewall for the rest of the
WAN.
At each city you would have frame over ATM tieing your rural sites into a
main site. Then come back down your ATM to the NAP for the internet. It just
seems like it would be easier to hack into each cities site since you have
public and private IPs flowing along the same ATM into the router?
HEEELP!
Thanks in advance,
Steve
Steve Smith.vcf