Block all servers?
Petri Helenius
pete at he.iki.fi
Sat Oct 11 17:08:54 UTC 2003
Adam Selene wrote:
>>NAT is more expensive to produce, so it should be an optional
>>premium service, and that seems to be more and more the case.
>>
>>
>
>Not necessarily when you consider the cost (in bandwidth,
>network reliability and support staff) imposed by worms and kiddies
>from other networks scanning your IP space for unsecured machines.
>
>
>
NAT boxes are quite unreliable, specially large ones. If you say "put
100000 small ones instead",
that really sounds a support nightmare. And you can filter without
having NAT.
(a long time ago NAT was thought to be a security mechanism, that has
fortunately
mostly died out)
>That's not even to mention the cost imposed by compromised systems.
>Even if NAT only reduces compromised systems by 20%, that's a
>cost savings.
>
>
>
For the price of a large NAT box, you can buy better security mitigation
products
which would allow you to get the wilful spammers, trojaned machines,
etc. which
are not saved by your magic box.
>Given that most edge hardware supports NAT, the additional cost
>is nominal.
>
>
>
My operational experience tells quite a different story.
>Getting IP space allocation is not without cost either.
>
>
>
That´s nothing compared to the people complaining about their applications
not working because you want to break their packets.
Pete
More information about the NANOG
mailing list