That just about wraps up this discussion.
Hank Jap wrote:
> Hi Alan,
> We just finished converting our IP addresses (4000 nodes) to
> our public IP addresses. This was due to the explosion of Extranet
> where we needed to connect to a bunch of business partners. We ran into
> problems where our private IP address was conflicting with our business
> partners'. It's just much easier for us now to connect to a business
> without worrying about conflicting IP addresses.
> Hank Jap
> PanCanadian Petroleum
> Alan Goldberg wrote:
> > Thanks, Russ!
> > Good advice. I am inclined to agree.
> > -alan
> > Russ wrote:
> > >
> > > Alan,
> > >
> > > Fact is there is no real benefit gained from private address space. With
> > > source-routing, its still possible to reach and interact with private
> > > address IP hosts/subnets. NAT was never intended to be a security
> > > countermeasure, and its perception as such has led to the common
> > > fallacy.
> > >
> > > Private address space also translates into a likelihood that some other
> > > site you may try and reach is unreachable, particularly in this age of
> > > Extranets (combined networks of multiple corporations/organizations). In
> > > addition, applications/protocols that use IP address as an identifier
> > > (MS Netmeeting for example) require a one-one public IP - private IP
> > > mapping at your Firewall (if you mean to allow it through, even within
> > > tunnels).
> > >
> > > I strongly suggest you create a single subnet of exposed addresses and
> > > maintain your internal addressing. If your Firewall cannot withstand
> > > attacks against known IP addresses, changing them to private will only
> > > give you a false sense of security. Any proper testing methods used to
> > > validate your Firewall configuration should confirm that your internal
> > > address is secured, otherwise the Firewall's not doing what it's
> > > supposed to.
> > >
> > > Cheers,
> > > Russ
> > > R.C. Consulting, Inc. - NT/Internet Security
> > > owner of the NTBugTraq mailing list: http://www.ntbugtraq.com
> > --
> > Alan Goldberg
> > HJ Heinz Company of Canada Ltd / Intuit Bus Serv & Tech
> > agoldber @
> > http://home.istar.ca/~agoldber
HJ Heinz Company of Canada Ltd / Intuit Bus Serv & Tech