Joe Greco wrote:
A quick scan of the reverse mapping for your address space in DNS reveals
that you have basically your entire network on public addresses. No wonder
you're worried about portscans when the printer down the hall and the
receptionists machine are sitting on public addresses. I think you are
trying to secure your network from the wrong end here.
Your idea of "security" is strange and unrealistic.
Putting all of your network behind NAT is not a guarantee of security.
Amen. Our NOCS workstations all use public IP addresses that are routed
through a firewall. The firewall applies appropriate policies that would
be functionally no different from applying the same policies to NAT'd
hosts. In our environment, we'd gain absolutely nothing from a security
perspective by enabling NAT.
But it does help ensure that poorly designed applications don't require
proxies to support them through NAT (SIP, FTP etc). And we'll never have
problems with a partner VPN conflicting with our internal IP space.
Mike
