>My question is whether NAT'ing a whole subnet is a done thing nowadays... and
does it increase the security risk.
Hide-natting an entire subnet is very common practice. But other than
in DMZs, static-natting an entire subnet is not common practice.
For services that require each user to come from a different IP, you
can still do a 1-to-1 hide-NAT. You gain the benefit of identifying
each user by a unique global IP, but connections from the outside
cannot be initiated to the users.
I've rarely come across services that initiate back-connections to the
client. If you are using a service like this, you may have no choice
but to use static-NAT. But if you have a policy that states that all
connections from the Internet to the internal network must be
encrypted, then you must get these connections onto VPN or risk
violating the policy. Using VPN bypass NAT altogether and you would
just use the private addresses.
Finally, you can restrict static-NAT even further by static-natting
only from specific sources. You have to use manual NAT rules to
accomplish this. This way, you will allow the static-nat policy to
apply but only from the sources that require it.
Still my favorite choice for back-connections into the internal
network is VPN with strict inbound access control.
-fwguru
On 4/25/05, Ian Harris <harrisi AT toowoomba.qld.gov DOT au> wrote:
> At our org. most of our users ips are not hiding behind a NAT, but will use
> the proxy servers address. Nowadays thou, there seems to be more addon
> services that require ports that open separate tcp connnections back to the
> originating host.
>
> This then requires the originating host to be NAT'ted for the service to work.
> My question is whether NAT'ing a whole subnet is a done thing nowadays... and
> does it increase the security risk.
>
> Does anyone have any thoughts on this?
>
> cheers
>
> Ian
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
