General discussion

Locked

External TCP/IP addr

By SpikeyMike ·
I recently started working for a local government entity. One of the first things that I noticed was that they were not using the "standard" internal IP addresses of 192.168.X.X - I asked why and nobody knew. Later one, I happened to see that a web server's address fell into the same range. I did a WHOIS and found that there was an entire block of IP's assigned to this entity, and that the DHCP server is doling out real IP's to all internal workstations. All of the servers are statically assigned real IP addresses as well.

My questions are: Is this a common practice? Is it safe?

I *always* assign the private address range to internal servers and workstations. It is my understanding that these addresses will not route if theyare accidentally plugged into a live internet hub. Further, it is my understanding that if the firewall is compromised, access to the private network is more difficult, if not impossible, when using the private addresses.

Just curious, as it seems like a major waste of money to have bought such a large block of IP addresses, and seems like a big security boo-boo to be using them internally!

Thanks!

-Mike

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

External TCP/IP addr

by mshavrov In reply to External TCP/IP addr

There are not too big difference. In general, if company has big IP address range and good firewall, it's not a problem. Why companies are using "private" IP addresses? Because they have less public addresses than local computers. Sure, NAT gives some more security to your network design, but "if the firewall is compromised..." there are no difference, which IP addresses do you use inside - you is exposed. And again, security is defined by firewall policies. If you have strict rules, that no trafic permitted from outside unless it originated from inside, you is secured.

Good luck.

Collapse -

External TCP/IP addr

by SpikeyMike In reply to External TCP/IP addr

Poster rated this answer

Collapse -

External TCP/IP addr

by guru@net In reply to External TCP/IP addr

Actually, if you are NATing there isn't an issue; except that I can't tell if you meant that the local government entity owned these addresses or not. If they don't, then they can't get to any host that use these addresses. If they do own them, then it's not a problem, except that it would mean that any resources that are being offered to the public are just being "allowed" unchecked through the firewall instead of filtered.

The best bet would be to use a private range internally (10.x.x.x, 172.x.x.x or 192.168.x.x) and position any public resources on a DMZ that uses the public addresses.

-HTH

Collapse -

External TCP/IP addr

by SpikeyMike In reply to External TCP/IP addr

Guru, the address range is owned by the government entity. I'm with you with regards to "best practices" of using addresses in the private range. However, the people in charge feel differently.

Thanks for your input!

Collapse -

External TCP/IP addr

by SpikeyMike In reply to External TCP/IP addr

This question was closed by the author

Back to Networks Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums