General discussion

  • Creator
    Topic
  • #2335828

    External TCP/IP addr

    Locked

    by spikeymike ·

    I recently started working for a local government entity. One of the first things that I noticed was that they were not using the “standard” internal IP addresses of 192.168.X.X – I asked why and nobody knew. Later one, I happened to see that a web server’s address fell into the same range. I did a WHOIS and found that there was an entire block of IP’s assigned to this entity, and that the DHCP server is doling out real IP’s to all internal workstations. All of the servers are statically assigned real IP addresses as well.

    My questions are: Is this a common practice? Is it safe?

    I *always* assign the private address range to internal servers and workstations. It is my understanding that these addresses will not route if theyare accidentally plugged into a live internet hub. Further, it is my understanding that if the firewall is compromised, access to the private network is more difficult, if not impossible, when using the private addresses.

    Just curious, as it seems like a major waste of money to have bought such a large block of IP addresses, and seems like a big security boo-boo to be using them internally!

    Thanks!

    -Mike

All Comments

  • Author
    Replies
    • #3584009

      External TCP/IP addr

      by mshavrov ·

      In reply to External TCP/IP addr

      There are not too big difference. In general, if company has big IP address range and good firewall, it’s not a problem. Why companies are using “private” IP addresses? Because they have less public addresses than local computers. Sure, NAT gives some more security to your network design, but “if the firewall is compromised…” there are no difference, which IP addresses do you use inside – you is exposed. And again, security is defined by firewall policies. If you have strict rules, that no trafic permitted from outside unless it originated from inside, you is secured.

      Good luck.

    • #3582353

      External TCP/IP addr

      by guru@net ·

      In reply to External TCP/IP addr

      Actually, if you are NATing there isn’t an issue; except that I can’t tell if you meant that the local government entity owned these addresses or not. If they don’t, then they can’t get to any host that use these addresses. If they do own them, then it’s not a problem, except that it would mean that any resources that are being offered to the public are just being “allowed” unchecked through the firewall instead of filtered.

      The best bet would be to use a private range internally (10.x.x.x, 172.x.x.x or 192.168.x.x) and position any public resources on a DMZ that uses the public addresses.

      -HTH

      • #3600805

        External TCP/IP addr

        by spikeymike ·

        In reply to External TCP/IP addr

        Guru, the address range is owned by the government entity. I’m with you with regards to “best practices” of using addresses in the private range. However, the people in charge feel differently.

        Thanks for your input!

    • #3600803

      External TCP/IP addr

      by spikeymike ·

      In reply to External TCP/IP addr

      This question was closed by the author

Viewing 2 reply threads