Firewalls: Re: IP Addressing strategy

Firewalls
(August 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: IP Addressing strategy
From:	greg @ webnology . com
Date:	Tue, 26 Aug 1997 00:10:25 +0000
To:	agoldber @ istar . ca
Cc:	Firewalls @ GreatCircle . COM
Comments:	Authenticated sender is <greg @ mail . webnology . com>

> > "Simplify - There is no value in complexity, it's too difficult to
> > manage."

Agreed...;-)

> > > -----Original Message-----
> > > From: Alan Goldberg [SMTP:agoldber @
 istar .
 ca]
> > > Sent: Wednesday, August 20, 1997 9:32 AM
> > > To:   Firewalls @
 GreatCircle .
 COM
> > > Subject:      IP Addressing strategy
> > >
> > > We have a class B registered address.
> > >
> > > If we deploy our firewalls do we a) use invalid addresses internally
> > > for all of our subnets, or b) it doesn't matter.

While there are significant advantages to firewalling that can't be 
gained from other protection methods, there can be no real protection that 
does not start from the inside out.  Regardless of your IP addressing 
schemes or your methods to hide them, you should employ practices at 
the host level that are consistent with your desired level of 
protectio.  I.E. If you have no internal need for a service, it 
should be turned off on every host that supports it.

> > > There has been debate internally on this issue.  I would expect
> > > that it is easier to manage to continue to use our allocated subnet
> > > numbers and let the firewall restrict the traffic.

I personally agree.  The key to making sure that your network is 
secure is by patching as soon as possible for hosts that are 
susceptible to attack, and using a firewall/access-lists to *BOLSTER* 
security, not ensure it.

> > > The other side contends that invalid numbers prevent intrusion.

That is a crock of horsepucky and more than likely spewed from 
someone not versed in the reality of networking.

> > > Any opinions?  facts?

FACT:
Any device that has access to services outside a physically secured 
environment renders itself susceptible to an attack of a sort.

FACT:
Addressing schemes don't secure anything.

The rest of it is pretty wide open...


Respectfully,

Greg Barnes
Webnology LLC

 ________________________________________________
|\===============W=E=B=N=O=L=O=G=Y===============\
     greg @
 webnology .
 com    Phone  (830)768-2292
     noc @
 webnology .
 com     FAX    (830)774-1518
|/===============W=E=B=N=O=L=O=G=Y===============/

'If you're a horse and someone gets on you and
 falls off, then gets right back on you...I think
 you should buck him off right away'
      -- Deep Thoughts, By Jack Handey

Indexed By Date	Previous:	credit card fraud From: Christopher Nicholls <chrisn @ softway . com . au>
Indexed By Date	Next:	RE: Firewall Digest: More readable ! From: Amanda Appleton <AmandaAppleton @ djonas . co . uk>
Indexed By Thread	Previous:	Re: IP Addressing strategy From: Alan Goldberg <agoldber @ istar . ca>
Indexed By Thread	Next:	smap and remote domain mail forwarding From: "I'm a Lisp variable -- bind me!" <wayhigh @ santacruz . org>