Dynamic IP log retention = 0?

Mike Lewinski mike at rockynet.com
Wed Mar 11 21:54:14 UTC 2009


Joe Greco wrote:
>> A quick scan of the reverse mapping for your address space in DNS reveals
>> that you have basically your entire network on public addresses.  No wonder
>> you're worried about portscans when the printer down the hall and the
>> receptionists machine are sitting on public addresses.  I think you are
>> trying to secure your network from the wrong end here.
> 
> Your idea of "security" is strange and unrealistic.
> 
> Putting all of your network behind NAT is not a guarantee of security.

Amen. Our NOCS workstations all use public IP addresses that are routed 
through a firewall. The firewall applies appropriate policies that would 
be functionally no different from applying the same policies to NAT'd 
hosts. In our environment, we'd gain absolutely nothing from a security 
perspective by enabling NAT.

But it does help ensure that poorly designed applications don't require 
proxies to support them through NAT (SIP, FTP etc). And we'll never have 
problems with a partner VPN conflicting with our internal IP space.

Mike




More information about the NANOG mailing list