> > "Simplify - There is no value in complexity, it's too difficult to
> > manage."
> > > -----Original Message-----
> > > From: Alan Goldberg [SMTP:agoldber @
> > > Sent: Wednesday, August 20, 1997 9:32 AM
> > > To: Firewalls @
> > > Subject: IP Addressing strategy
> > >
> > > We have a class B registered address.
> > >
> > > If we deploy our firewalls do we a) use invalid addresses internally
> > > for all of our subnets, or b) it doesn't matter.
While there are significant advantages to firewalling that can't be
gained from other protection methods, there can be no real protection that
does not start from the inside out. Regardless of your IP addressing
schemes or your methods to hide them, you should employ practices at
the host level that are consistent with your desired level of
protectio. I.E. If you have no internal need for a service, it
should be turned off on every host that supports it.
> > > There has been debate internally on this issue. I would expect
> > > that it is easier to manage to continue to use our allocated subnet
> > > numbers and let the firewall restrict the traffic.
I personally agree. The key to making sure that your network is
secure is by patching as soon as possible for hosts that are
susceptible to attack, and using a firewall/access-lists to *BOLSTER*
security, not ensure it.
> > > The other side contends that invalid numbers prevent intrusion.
That is a crock of horsepucky and more than likely spewed from
someone not versed in the reality of networking.
> > > Any opinions? facts?
Any device that has access to services outside a physically secured
environment renders itself susceptible to an attack of a sort.
Addressing schemes don't secure anything.
The rest of it is pretty wide open...
com Phone (830)768-2292
com FAX (830)774-1518
'If you're a horse and someone gets on you and
falls off, then gets right back on you...I think
you should buck him off right away'
-- Deep Thoughts, By Jack Handey