G
Guest
Guest
Archived from groups: comp.security.firewalls (More info?)
Greetings,
I'm looking for some expert opinions on the following question:
Should individual departments in a large university be behind NAT firewalls
or transparent firewalls?
Proposal (1):
The university assigns every PC (and Mac, and network printer, and whatnot)
an IP address from its allocation, and DHCP-serves the PC from its central
DHCP server, which also serves as an inventory of networked computers on
campus. Departments are encouraged to get firewalls, which must be
transparent and capable of DHCP relaying. Departmental subnets work whether
or not a firewall is present.
Proposal (2):
The university assigns the minimum number of IP addresses (often just one)
to each department, and the department uses a NAT firewall to assign
internal IP addresses to the computers behind it. (Just like we do at home
with cable modems.)
My impression is that (1) is easier to troubleshoot and manage from a
central location, but (2) is more convenient (you can just bring your laptop
and plug it in, without registering with the central DHCP server).
Is (2) also safer? In the long run, which do you think is the best
proposal?
Many thanks,
Michael A. Covington - Artificial Intelligence Ctr - University of Georgia
(N.B. The university I'm talking about is not necessarily my own. Consider
this a theoretical long-term question.)
Greetings,
I'm looking for some expert opinions on the following question:
Should individual departments in a large university be behind NAT firewalls
or transparent firewalls?
Proposal (1):
The university assigns every PC (and Mac, and network printer, and whatnot)
an IP address from its allocation, and DHCP-serves the PC from its central
DHCP server, which also serves as an inventory of networked computers on
campus. Departments are encouraged to get firewalls, which must be
transparent and capable of DHCP relaying. Departmental subnets work whether
or not a firewall is present.
Proposal (2):
The university assigns the minimum number of IP addresses (often just one)
to each department, and the department uses a NAT firewall to assign
internal IP addresses to the computers behind it. (Just like we do at home
with cable modems.)
My impression is that (1) is easier to troubleshoot and manage from a
central location, but (2) is more convenient (you can just bring your laptop
and plug it in, without registering with the central DHCP server).
Is (2) also safer? In the long run, which do you think is the best
proposal?
Many thanks,
Michael A. Covington - Artificial Intelligence Ctr - University of Georgia
(N.B. The university I'm talking about is not necessarily my own. Consider
this a theoretical long-term question.)