I tend to agree with Bill on this one..
With 6 DS3 circuits one is looking at some heavy iron that is capable of
handling the high volumes of traffic. Something similiar to a Foundry Unit
can handle lots and lots of NAT connections without even breaking a sweat.
(See their ad)..
Again, I'll slightly agree with Bill on the numberless links but also you
may want to invest in an out of band management system just in case you
have to service something remotely.
/cheers
At 07:11 PM 8/22/00 -0400, [EMAIL PROTECTED] wrote:
>Steve,
>
>NAT/PAT isn't a security function per se although it does provide some
>obscurity for internal hosts. The issue here appears to be more of a
>performance question. We have 6 DS3 circuits feeding into a single
>Internet access point. Can the router efficently handle NAT connections
>from all the different locations or would it be better to spread that out
>among multiple routers?
>
>I lean toward private addressing for all internal connections because you
>can set up a simple addressing scheme that's easy to follow. The security
>issue is really one of filtering. BTW - if you run your links numberless
>you can make the routers at the remote sites completely invisible to the
>outside NAT interface -- of course that might make it a little difficult
>for you to service it ;-].
>
>-- Bill Stackpole, CISSP
>
>
>
>
>Steve Smith <[EMAIL PROTECTED]>
>Sent by: [EMAIL PROTECTED]
>
>08/22/00 02:55 PM
>
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> cc:
> Subject: When to NAT
>
>Hey gang need some expert advise
>
>If you have a big WAN, ATM DS3 connecting 6 cities, with a single internet
>access point at a NAP where should you impliment your NAT/PAT? Our
>"security" manger feels that we should have public IPs running in our DMZ
>and our WAN from city to city. Then NAT/PAT into each loction. The other way
>would be to have a DMZ at the internet access point, leave them public for
>web servers and such, then NAT/PAT through the firewall for the rest of the
>WAN.
>
>At each city you would have frame over ATM tieing your rural sites into a
>main site. Then come back down your ATM to the NAP for the internet. It just
>seems like it would be easier to hack into each cities site since you have
>public and private IPs flowing along the same ATM into the router?
>
>HEEELP!
>
>Thanks in advance,
>
>
>Steve
>
>
>
>
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
