> From: Michael Ryan <mike @
networx .
ie>
> Date: Fri, 19 Jan 1996 10:29:54 GMT
> Subject: Perimeter net and official net addresses
>
> Hi folks,
>
> I've been tuned into this list for a few months now and here's my first
> posting.
>
> I'm attaching to the Internet for the first time. If I set up a perimeter
> network between my internal net and the Internet, the way I see it,
> I have three choices.
>
> .....first two options deleted.....
>
> (c) Use a Class C address on the perimeter net and a private IP address
> on the internal net (c.f. RFC1597).
> My problems with this are:
> (1) Any expert whose opinion I've read says keep away from using
> private addresses.
> (2) Direct connections are not possible between the inside and the
> outside; proxying or NAT must be used always.
> However, I see advantages to this scheme also:
> (1) If proxying is used to give insiders access to the outside, then,
> it's not possible for a bad guy on the outside to mount an
> IP address spoofing or source routing attack, as by the rules of
> RFC1597, my ISP must filter out private addresses from going through
> their routers (I realise there's an element of trust on my part for my
> ISP here).
> (2) It overcomes the disadvantages of (a) and (b) above.
>
>
Now I won't claim to be an expert, but I would go with option 3. If the
inside addresses are private (or "illegal") addresses there are fewer means
to figure out what IP addresses your inside machines have. (Ok, that is
security through obscurity, but if you aren't using it as your sole means
of security its ok.) Secondly, I know Raptor, and I believe other firewall
vendors do do mapping of illegal IP addresses to the unused addresses at
the 10.0... range, so going out on the net doesn't pose a problem if you
chose the same set of IP's that IBM is using. Also there are the advantages
of not having to get 2 sets of numbers or subnetting a class C.
-Rachel
Follow-Ups:
|
|
