Dynamic IP log retention = 0?
Mike Lewinski
mike at rockynet.com
Wed Mar 11 21:54:14 UTC 2009
Joe Greco wrote:
>> A quick scan of the reverse mapping for your address space in DNS reveals
>> that you have basically your entire network on public addresses. No wonder
>> you're worried about portscans when the printer down the hall and the
>> receptionists machine are sitting on public addresses. I think you are
>> trying to secure your network from the wrong end here.
>
> Your idea of "security" is strange and unrealistic.
>
> Putting all of your network behind NAT is not a guarantee of security.
Amen. Our NOCS workstations all use public IP addresses that are routed
through a firewall. The firewall applies appropriate policies that would
be functionally no different from applying the same policies to NAT'd
hosts. In our environment, we'd gain absolutely nothing from a security
perspective by enabling NAT.
But it does help ensure that poorly designed applications don't require
proxies to support them through NAT (SIP, FTP etc). And we'll never have
problems with a partner VPN conflicting with our internal IP space.
Mike
More information about the NANOG
mailing list