Joe Greco wrote:
A quick scan of the reverse mapping for your address space in DNS reveals that you have basically your entire network on public addresses. No wonder you're worried about portscans when the printer down the hall and the receptionists machine are sitting on public addresses. I think you are trying to secure your network from the wrong end here.
Your idea of "security" is strange and unrealistic.
Putting all of your network behind NAT is not a guarantee of security.
Amen. Our NOCS workstations all use public IP addresses that are routed through a firewall. The firewall applies appropriate policies that would be functionally no different from applying the same policies to NAT'd hosts. In our environment, we'd gain absolutely nothing from a security perspective by enabling NAT. But it does help ensure that poorly designed applications don't require proxies to support them through NAT (SIP, FTP etc). And we'll never have problems with a partner VPN conflicting with our internal IP space. Mike