Firewalls: Re: IP Addressing strategy

Firewalls
(August 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: IP Addressing strategy
From:	Alan Goldberg <agoldber @ istar . ca>
Organization:	HJ Heinz Company of Canada Ltd
Date:	Wed, 27 Aug 1997 15:13:04 -0400
To:	Hank Jap <jap_hank @ pcp . ca>
Cc:	Firewalls @ GreatCircle . COM
References:	<61B80F9FF411D1118DEF0000E8D5C667012176 @ ns . ntadvice . com> <340343C1 . 4B07 @ istar . ca> <34034BE3 . 9B7 @ pcp . ca>
Reply-to:	agoldber @ istar . ca

Thanks, Hank!
That just about wraps up this discussion.
-alan

Hank Jap wrote:
> 
> Hi Alan,
> We just finished converting our IP addresses (4000 nodes) to
> our public IP addresses.  This was due to the explosion of Extranet
> where we needed to connect to a bunch of business partners.  We ran into
> problems where our private IP address was conflicting with our business
> partners'. It's just much easier for us now to connect to a business
> partner
> without worrying about conflicting IP addresses.
> 
> Hank Jap
> PanCanadian Petroleum
> 
> Alan Goldberg wrote:
> >
> > Thanks, Russ!
> > Good advice. I am inclined to agree.
> >
> > -alan
> >
> > Russ wrote:
> > >
> > > Alan,
> > >
> > > Fact is there is no real benefit gained from private address space. With
> > > source-routing, its still possible to reach and interact with private
> > > address IP hosts/subnets. NAT was never intended to be a security
> > > countermeasure, and its perception as such has led to the common
> > > fallacy.
> > >
> > > Private address space also translates into a likelihood that some other
> > > site you may try and reach is unreachable, particularly in this age of
> > > Extranets (combined networks of multiple corporations/organizations). In
> > > addition, applications/protocols that use IP address as an identifier
> > > (MS Netmeeting for example) require a one-one public IP - private IP
> > > mapping at your Firewall (if you mean to allow it through, even within
> > > tunnels).
> > >
> > > I strongly suggest you create a single subnet of exposed addresses and
> > > maintain your internal addressing. If your Firewall cannot withstand
> > > attacks against known IP addresses, changing them to private will only
> > > give you a false sense of security. Any proper testing methods used to
> > > validate your Firewall configuration should confirm that your internal
> > > address is secured, otherwise the Firewall's not doing what it's
> > > supposed to.
> > >
> > > Cheers,
> > > Russ
> > > R.C. Consulting, Inc. - NT/Internet Security
> > > owner of the NTBugTraq mailing list: http://www.ntbugtraq.com
> >
> > --
> > Alan Goldberg
> > HJ Heinz Company of Canada Ltd / Intuit Bus Serv & Tech
> > agoldber @
 istar .
 ca
> > http://home.istar.ca/~agoldber

-- 
Alan Goldberg
HJ Heinz Company of Canada Ltd / Intuit Bus Serv & Tech
agoldber @
 istar .
 ca
http://home.istar.ca/~agoldber

References:

Re: IP Addressing strategy
From: Alan Goldberg <agoldber @ istar . ca>

Indexed By Date	Previous:	"S. Korea develops world's first anti-hacking program" ! From: Nick Keenan <nick @ gsionline . com>
Indexed By Date	Next:	Re: data protection in the hard-drive From: mcnabb @ argus-systems . com (Paul McNabb)
Indexed By Thread	Previous:	Re: IP Addressing strategy From: Alan Goldberg <agoldber @ istar . ca>
Indexed By Thread	Next:	Re: IP Addressing strategy From: greg @ webnology . com