Best Practices for Enterprise networks
Måns Nilsson
mansaxel at sunet.se
Sat Sep 4 13:03:20 UTC 2004
--On söndag 29 augusti 2004 17.42 -0700 Michel Py
<michel at arneill-py.sacramento.ca.us> wrote:
>
>>> Tracy Smith wrote:
>>> Specifically, to NAT or not to NAT?
>
> This is not much of an issue anymore. If you receive IP addresses from
> your ISP, not natting would be foolish.
No. Renumbering is easy and fun, not to mention a great source of revenue
for IT consultants.
> Even if you do own your own
> public IP space, the NAT issues are fundamentally no different than the
> firewall ones
Yes, they are. NAT and firewalling are orthogonal. They just are bundled in
a lot of bad products.
> and since not having a firewall is not an option,
Yes, it is. Firewalls in the corporate environments have lead to the
pathetic state of notpatchedness that allows simple email virii to take
down entire enterprises simply because "inside the firewall everyone are
nice". Such solutions make much more damage than good.
> most
> enterprises will indeed NAT some of their subnets in their firewalls,
> whether or not they have or could easily obtain public space.
Finally, you are correct, although not because you describe some clever
plan for enterprise network management, but instead you describe the
pathetic state of notworking that permeates (with the aid of overpaid
undercompetent firewall conslutants (I used to be one.)) through the
corporate world.
>> Paul Ferguson wrote:
>> Asymmetric paths are a fact of life in the Internet.
>
> Not for enterprise operators except the largest ones.
Except when people, being people, mess up.
--
Måns Nilsson Systems Specialist
+46 70 681 7204 KTHNOC
MN1334-RIPE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20040904/27031271/attachment.sig>
More information about the NANOG
mailing list