No announcement yet.

Layered NAT for "security"?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Layered NAT for "security"?


    I have inherited a network that comes in from the "wild" to a standard CSU -> router/firewall -> another router/firewall ->switch. Router/firewall 1 NATs a 192.168.x.x network and then router/firewall 2 NATs to a 172.16.x.x network to which all of the internal workstations are connected (all of their internal IPs are on the 172.16.x.x block).

    I was told by the "CTO" consultant that is here for now that this is for security, however I can NOT figure out what sort of security benefit is worth adding an extra layer of complexity and failure to a network of this size. The entire branch office only has about 15 workstations and zero servers (all servers are planted in a top tier colocation facility). So, can anyone give me a real reason for this sort of network setup? I've been doing small business work for going on 10 years now and have never seen anyone do anything like this with a valid purpose. I -could- see having a public wifi network on a separate network, but that's not the case.

    What I'm asking for is a sanity check here before I make my case to flatten the network and simplify. There are many more of these sorts of half-a$$ed attempts at infrastructure here and this is just the tip of the iceberg, but I'm not entirely sure how to attack this to begin with aside from "no, really, that's simply a waste of time". The whole office has constant network issues and they're difficult to troubleshoot when things are just wrong (in my opinion).

  • #2
    Re: Layered NAT for "security"?

    I am shocked, surely you need to setup all your clients on this "layered" approach.
    Nah just kidding. You are sane indeed.

    I have never heard of such a thing. Most bizarre. Unless you really need to segregate the network, this is total BS.

    Perhaps you can explain to them its like strapping yourself into a car for safety and then placing the entire car in another car "for added protection".

    Take the most powerful router/firewall that you have there, make it exclusive and sell the rest.
    "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan


    • #3
      Re: Layered NAT for "security"?

      There is no added security for the second NAT in this scenario, in my opinion.
      JM @ IT Training & Consulting


      • #4
        Re: Layered NAT for "security"?

        Thank you both. I generally trust my experience but sometimes people can be so adamant about being wrong that I need a head check just to make sure I'm not talking gibberish.