Public Addresses Used Internally

TheMSsForum.com: The Microsoft Software Forum

What would be the vulnerabilities, issues, problems etc, of using public
addresses on an internal network behind a firewall?
Top

Re: Public Addresses Used Internally by Mark

Mark
Sat Sep 02 22:06:46 CDT 2006

Just don't...

Unless you are using something like DHCP in which case I doubt we would be
having this conversation, don't use public addresses, use private ones -
thats what they are there for.

--
- Mark Randall
http://www.temporal-solutions.co.uk
http://www.awportals.com

"Myrt in MT" <MyrtinMT@discussions.microsoft.com> wrote in message
news:367D3FCE-57FA-4B9C-A88F-BFC811B2F94C@microsoft.com...
> What would be the vulnerabilities, issues, problems etc, of using public
> addresses on an internal network behind a firewall?


Top

Re: Public Addresses Used Internally by MyrtinMT

MyrtinMT
Sat Sep 02 22:45:02 CDT 2006

I agree. But I have a client who has been using public addresses behind a
firewall and I am looking for arguments that I can use to convince him to
change.



"Mark Randall" wrote:

> Just don't...
>
> Unless you are using something like DHCP in which case I doubt we would be
> having this conversation, don't use public addresses, use private ones -
> thats what they are there for.
>
> --
> - Mark Randall
> http://www.temporal-solutions.co.uk
> http://www.awportals.com
>
> "Myrt in MT" <MyrtinMT@discussions.microsoft.com> wrote in message
> news:367D3FCE-57FA-4B9C-A88F-BFC811B2F94C@microsoft.com...
> > What would be the vulnerabilities, issues, problems etc, of using public
> > addresses on an internal network behind a firewall?
>
>
>
Top

Re: Public Addresses Used Internally by Roger

Roger
Sat Sep 02 23:56:39 CDT 2006

"Myrt in MT" <MyrtinMT@discussions.microsoft.com> wrote in message
news:8AD6B93C-C470-4B4D-ACF8-35D6DBF120FA@microsoft.com...
>I agree. But I have a client who has been using public addresses behind a
> firewall and I am looking for arguments that I can use to convince him to
> change.
>

To reply to your initial question, the answer depends on the
quality of the firewall (i.e. what it allows).

Reasons

1. pay less for fewer IPs

2. barriers implaced / risks assumed vs. gains / costs analysis

With private IPs access must be NATed or from compromised
system on internal network (again, inplying a NATing)
With public IPs access must only route into internal network
(which imples higher quality requirement on net admins = cost)
So there _may_ be reduced barriers, heightened risks
There is increased cost with holding the public IPs, admin quaility
So, what is the offsetting gain ?

3. Predetermined size limit on address space
This might need to be addressed if growth presses the limit
This resticts what could be done to segment internal network
into screened subnets, or even just groupings of machines by
subnets, as a construct in partitioning the internal network for
objects such as privacy compliance, etc.

4. no doubt others

All you probably need to do is outline item 1, as it is a
"why buy $2 pencils when $1/dozen pencils work fine"
sort of biz manager decision.

>
> "Mark Randall" wrote:
>
>> Just don't...
>>
>> Unless you are using something like DHCP in which case I doubt we would
>> be
>> having this conversation, don't use public addresses, use private ones -
>> thats what they are there for.
>>
>> --
>> - Mark Randall
>> http://www.temporal-solutions.co.uk
>> http://www.awportals.com
>>
>> "Myrt in MT" <MyrtinMT@discussions.microsoft.com> wrote in message
>> news:367D3FCE-57FA-4B9C-A88F-BFC811B2F94C@microsoft.com...
>> > What would be the vulnerabilities, issues, problems etc, of using
>> > public
>> > addresses on an internal network behind a firewall?
>>
>>
>>


Top

Re: Public Addresses Used Internally by Robert

Robert
Sun Sep 03 04:55:53 CDT 2006

Myrt in MT wrote:
> What would be the vulnerabilities, issues, problems etc, of using
> public addresses on an internal network behind a firewall?

Let's start with a basic.

Are you talking about public addresses that the person concerned actually
owns and is entitled to use, or are you talking about someone who has
pulled a random IP address range out of their ear and just started using
it internally with no regard to anything else, because the numbers looked
lucky or something?
--
--
Rob Moir, Microsoft MVP for Security
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ -
http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html


Top

Re: Public Addresses Used Internally by MyrtinMT

MyrtinMT
Sun Sep 03 09:52:02 CDT 2006

They are not paying anything for the public IP's. They just used them.

They have a public IP on the external interface of their firewall assigned
by their ISP and statically assigned IP's on the internal network.

I know it is goofy but that is the situation.

"Roger Abell [MVP]" wrote:

> "Myrt in MT" <MyrtinMT@discussions.microsoft.com> wrote in message
> news:8AD6B93C-C470-4B4D-ACF8-35D6DBF120FA@microsoft.com...
> >I agree. But I have a client who has been using public addresses behind a
> > firewall and I am looking for arguments that I can use to convince him to
> > change.
> >
>
> To reply to your initial question, the answer depends on the
> quality of the firewall (i.e. what it allows).
>
> Reasons
>
> 1. pay less for fewer IPs
>
> 2. barriers implaced / risks assumed vs. gains / costs analysis
>
> With private IPs access must be NATed or from compromised
> system on internal network (again, inplying a NATing)
> With public IPs access must only route into internal network
> (which imples higher quality requirement on net admins = cost)
> So there _may_ be reduced barriers, heightened risks
> There is increased cost with holding the public IPs, admin quaility
> So, what is the offsetting gain ?
>
> 3. Predetermined size limit on address space
> This might need to be addressed if growth presses the limit
> This resticts what could be done to segment internal network
> into screened subnets, or even just groupings of machines by
> subnets, as a construct in partitioning the internal network for
> objects such as privacy compliance, etc.
>
> 4. no doubt others
>
> All you probably need to do is outline item 1, as it is a
> "why buy $2 pencils when $1/dozen pencils work fine"
> sort of biz manager decision.
>
> >
> > "Mark Randall" wrote:
> >
> >> Just don't...
> >>
> >> Unless you are using something like DHCP in which case I doubt we would
> >> be
> >> having this conversation, don't use public addresses, use private ones -
> >> thats what they are there for.
> >>
> >> --
> >> - Mark Randall
> >> http://www.temporal-solutions.co.uk
> >> http://www.awportals.com
> >>
> >> "Myrt in MT" <MyrtinMT@discussions.microsoft.com> wrote in message
> >> news:367D3FCE-57FA-4B9C-A88F-BFC811B2F94C@microsoft.com...
> >> > What would be the vulnerabilities, issues, problems etc, of using
> >> > public
> >> > addresses on an internal network behind a firewall?
> >>
> >>
> >>
>
>
>
Top

Re: Public Addresses Used Internally by MyrtinMT

MyrtinMT
Sun Sep 03 09:54:01 CDT 2006

You describe the situation accurately. They just pulled the public IP's out
of their ear(or someplace else where the sun doesn't shine).

"Robert Moir" wrote:

> Myrt in MT wrote:
> > What would be the vulnerabilities, issues, problems etc, of using
> > public addresses on an internal network behind a firewall?
>
> Let's start with a basic.
>
> Are you talking about public addresses that the person concerned actually
> owns and is entitled to use, or are you talking about someone who has
> pulled a random IP address range out of their ear and just started using
> it internally with no regard to anything else, because the numbers looked
> lucky or something?
> --
> --
> Rob Moir, Microsoft MVP for Security
> Blog Site - http://www.robertmoir.com
> Virtual PC 2004 FAQ -
> http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
>
>
>
Top

Re: Public Addresses Used Internally by Robert

Robert
Sun Sep 03 13:30:55 CDT 2006

Myrt in MT wrote:
> You describe the situation accurately. They just pulled the public
> IP's out of their ear(or someplace else where the sun doesn't shine).

That's about what I figured.

OK. Well assuming the firewall is working right, there are probably few
actual security issues on a day to day basis. And if the firewall isn't
working right then they're boned regardless of how they pick their IP
ranges. I would say that if the firewall isn't working right then you
could see some really interesting results if an attack was aimed at this
network from the 'real' IP addresses, but if I'm being honest this isn't
awfully likely.

One problem they will definately have, which could have security
implications, is traffic routing. They'll be unable to communicate
properly with whoever might be the legitimate owner of the IP addresses.
If a major ISP decided to use those IP addresses to site their major email
servers, or website hosting servers, they'd be unable to use those
services properly.

Another real issue is that some of the more paranoid anti-spam tools may
well look at those IP addresses, realise that they make no sense, and
refuse to accept email that mentions them (my employer's email system
would kick messages to the kerb for this, for example).

Is there any reason why you can't just change them over to a private range
one evening or weekend anyway? Do it right and the users wouldn't even
notice.

--
--
Rob Moir, Microsoft MVP for Security
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ -
http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html


Top

Re: Public Addresses Used Internally by Mark

Mark
Sun Sep 03 14:28:27 CDT 2006

"Myrt in MT" wrote:
> They are not paying anything for the public IP's. They just used them.

Then its probable suicide

--
- Mark Randall
http://www.temporal-solutions.co.uk
http://www.awportals.com


Top