North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: NOC servers with public/private ip address

  • From: Valdis.Kletnieks
  • Date: Wed Aug 15 11:23:43 2001

On Wed, 15 Aug 2001 11:07:21 EDT, you said:
> Using a NAT in a NOC situation makes audit trails harder to maintain,
> as all administrative connections to your network devices will appear
> to come from (one of) the address(es) of the NAT device.

Right.  That too - that's why I advised against it.  Choices I see
as reasonable:

1) A totally isolated management net in 1918 space.
2) A totally isolated management net in your space.
3) A firewalled management net in your space.
4) A management net in 1918 space, and a bastion host that lives in the
1918 space and your space to get stuff in/out with (no direct connections
available - copy stuff to the bastion from one side, then copy out from
the other).

Of course, for options (3) and (4) you need to have a very clear
understanding of how you are handling security for the management net.

And for options (1) and (2), you need to be careful that it *does*
stay isolated - all it takes is one router that's forwarding packets
for it to change into (3) or (4). ;)

				Valdis Kletnieks
				Operating Systems Analyst
				Virginia Tech

Attachment: pgp00008.pgp
Description: PGP signature