RE: Best Practices for Enterprise networks
--On söndag 29 augusti 2004 17.42 -0700 Michel Py <[EMAIL PROTECTED]> wrote: > >>> Tracy Smith wrote: >>> Specifically, to NAT or not to NAT? > > This is not much of an issue anymore. If you receive IP addresses from > your ISP, not natting would be foolish. No. Renumbering is easy and fun, not to mention a great source of revenue for IT consultants. > Even if you do own your own > public IP space, the NAT issues are fundamentally no different than the > firewall ones Yes, they are. NAT and firewalling are orthogonal. They just are bundled in a lot of bad products. > and since not having a firewall is not an option, Yes, it is. Firewalls in the corporate environments have lead to the pathetic state of notpatchedness that allows simple email virii to take down entire enterprises simply because "inside the firewall everyone are nice". Such solutions make much more damage than good. > most > enterprises will indeed NAT some of their subnets in their firewalls, > whether or not they have or could easily obtain public space. Finally, you are correct, although not because you describe some clever plan for enterprise network management, but instead you describe the pathetic state of notworking that permeates (with the aid of overpaid undercompetent firewall conslutants (I used to be one.)) through the corporate world. >> Paul Ferguson wrote: >> Asymmetric paths are a fact of life in the Internet. > > Not for enterprise operators except the largest ones. Except when people, being people, mess up. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE pgpvMdtWCtFmd.pgp Description: PGP signature
RE: Best Practices for Enterprise networks
Of course it can work. My point is that it is a fact of life, nothing more. Pointing out the obvious: Dependent upon who is/are your upstream provider(s), and how specific the prefix announcements are made to their peers (re: your reachability) determines just how symmetric your traffic patterns will be. - ferg -- "Michel Py" <[EMAIL PROTECTED]> wrote: > Asymmetric paths are a fact of life in the Internet. Not for enterprise operators except the largest ones. Asymmetric traffic does happen in the core, where there are no firewalls or NATs; as far as the edge is concerned though I know several companies that multihome to two or more ISPs but only in one location, largely because they don't want to deal with NAT/firewall issues. Although it can work, it requires extra engineering and most of the time a fat pipe to replicate state information between the sites. -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED]
RE: Best Practices for Enterprise networks
>> Tracy Smith wrote: >> Specifically, to NAT or not to NAT? This is not much of an issue anymore. If you receive IP addresses from your ISP, not natting would be foolish. Even if you do own your own public IP space, the NAT issues are fundamentally no different than the firewall ones and since not having a firewall is not an option, most enterprises will indeed NAT some of their subnets in their firewalls, whether or not they have or could easily obtain public space. > At what point should NAT-ting be performed ... > exclusively at the Egress point If there is only one egress point, indeed (typically at the firewall that's between the outside router and the inside router). If there are multiple egress points it's more interesting. There are multiple designs. > about firewalling - centralized/decentralized? Greatly varies depending the design and requirements of a given enterprise. > Iljitsch van Beijnum wrote: > Fortunately, I've never been in the position > to make such decisions, That's when you understand the real meaning of FUD: when you @55 and/or your job are on the line ;-) > but I can tell you one thing: if you have multiple connections > to the internet, you had better make sure that your NATs and > firewalls are equipped to handle the case where you send a > packet out through connection A and the reply comes back > through connection B. Indeed. > Paul Ferguson wrote: > Asymmetric paths are a fact of life in the Internet. Not for enterprise operators except the largest ones. Asymmetric traffic does happen in the core, where there are no firewalls or NATs; as far as the edge is concerned though I know several companies that multihome to two or more ISPs but only in one location, largely because they don't want to deal with NAT/firewall issues. Although it can work, it requires extra engineering and most of the time a fat pipe to replicate state information between the sites. Michel.
Re: Best Practices for Enterprise networks
On Mon, 30 Aug 2004, Fergie (Paul Ferguson) wrote: > > > Asymmetric paths are a fact of life in the Internet. > engineer your network to deal with that (from the enterprise perspective, not the ISP side) and it's not a problem... we have several customers in this scenario today, all work well. > - ferg > > -- Iljitsch van Beijnum <[EMAIL PROTECTED]> wrote: > > On 30-aug-04, at 0:50, Tracy Smith wrote: > > > Hello. I am tyring to gauge what the Best Practices are for > > Enterprise network connections to the Internet. Specifically, to NAT > > or not to NAT? At what point should NAT-ting be performed ... > > exclusively at the Egress point or at decentralized points? What > > about firewalling - centralized/decentralized? > > Fortunately, I've never been in the position to make such decisions, > but I can tell you one thing: if you have multiple connections to the > internet, you had better make sure that your NATs and firewalls are (aimed at original poster) NAT is normally a decision local to the site... "have enough ips? don't nat" "Don't have enough ips, NAT" or the ever popular: "Want to hide your internal network details, nat" I'm not sure there is a 'best practice' that really covers nat. Perhaps paying for some consulting from some of the larger consulting firms would help you address your particular issues directly?
Re: Best Practices for Enterprise networks
Asymmetric paths are a fact of life in the Internet. - ferg -- Iljitsch van Beijnum <[EMAIL PROTECTED]> wrote: On 30-aug-04, at 0:50, Tracy Smith wrote: > Hello. I am tyring to gauge what the Best Practices are for > Enterprise network connections to the Internet. Specifically, to NAT > or not to NAT? At what point should NAT-ting be performed ... > exclusively at the Egress point or at decentralized points? What > about firewalling - centralized/decentralized? Fortunately, I've never been in the position to make such decisions, but I can tell you one thing: if you have multiple connections to the internet, you had better make sure that your NATs and firewalls are equipped to handle the case where you send a packet out through connection A and the reply comes back through connection B. -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED]
Re: Best Practices for Enterprise networks
On 30-aug-04, at 0:50, Tracy Smith wrote: Hello. I am tyring to gauge what the Best Practices are for Enterprise network connections to the Internet. Specifically, to NAT or not to NAT? At what point should NAT-ting be performed ... exclusively at the Egress point or at decentralized points? What about firewalling - centralized/decentralized? Fortunately, I've never been in the position to make such decisions, but I can tell you one thing: if you have multiple connections to the internet, you had better make sure that your NATs and firewalls are equipped to handle the case where you send a packet out through connection A and the reply comes back through connection B.
Best Practices for Enterprise networks
Hello. I am tyring to gauge what the Best Practices are for Enterprise network connections to the Internet. Specifically, to NAT or not to NAT? At what point should NAT-ting be performed ... exclusively at the Egress point or at decentralized points? What about firewalling - centralized/decentralized? Thanks in advance for any feedback! Tracy Smith [EMAIL PROTECTED]
