RE: Free range addresses

From: Jollon, Matthew (MJollon@cstechnology.com)
Date: 08/21/01


Message-ID: <7259E36A9574D511946600508BD7297607F691@nymail.ny.cstechnology.com>
From: "Jollon, Matthew" <MJollon@cstechnology.com>
To: "'michael@mastergeek.com'" <michael@mastergeek.com>, security-basics@securityfocus.com
Subject: RE: Free range addresses
Date: Tue, 21 Aug 2001 12:00:32 -0400

Michael,

A company should never use routable addresses internally or in the DMZ.
Anything other than the router and firewall should conform to RFC1918. Both
for the internet sake and the companies sake.

-----Original Message-----
From: Michael Tench [mailto:geekruler@yahoo.com]
Sent: Tuesday, August 21, 2001 11:32 AM
To: security-basics@securityfocus.com
Subject: Free range addresses

As you know, many different companies now use VPN
connectivity to communicate to each other, as well as
(unfortuantely) allowing remote users to VPN into
machines on their service network. As such, you cannot
have the same subnet allocated on both sides of the
VPN tunnel....but as an IT manager or WAN analyst, you
cannot tell the other company they must change their
internal addresses.

My questions are these:
Is this a good argument for using a routable(not free
range) IP address for your service network (some say
DMZ)?
Do you think the risks of this outweigh the
benefits?(Like if the firewall fails in a manner that
allows all traffic to pass)

I welcome your comments.

It

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/