RE: Free range addresses

From: Jollon, Matthew (MJollon@cstechnology.com)
Date: 08/21/01


Message-ID: <7259E36A9574D511946600508BD7297607F691@nymail.ny.cstechnology.com>
From: "Jollon, Matthew" <MJollon@cstechnology.com>
To: "'michael@mastergeek.com'" <michael@mastergeek.com>, security-basics@securityfocus.com
Subject: RE: Free range addresses
Date: Tue, 21 Aug 2001 12:00:32 -0400

Michael,

A company should never use routable addresses internally or in the DMZ.
Anything other than the router and firewall should conform to RFC1918. Both
for the internet sake and the companies sake.

-----Original Message-----
From: Michael Tench [mailto:geekruler@yahoo.com]
Sent: Tuesday, August 21, 2001 11:32 AM
To: security-basics@securityfocus.com
Subject: Free range addresses

As you know, many different companies now use VPN
connectivity to communicate to each other, as well as
(unfortuantely) allowing remote users to VPN into
machines on their service network. As such, you cannot
have the same subnet allocated on both sides of the
VPN tunnel....but as an IT manager or WAN analyst, you
cannot tell the other company they must change their
internal addresses.

My questions are these:
Is this a good argument for using a routable(not free
range) IP address for your service network (some say
DMZ)?
Do you think the risks of this outweigh the
benefits?(Like if the firewall fails in a manner that
allows all traffic to pass)

I welcome your comments.

It

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/



Relevant Pages

  • VPN home worker implementation
    ... network security. ... Firewall acting as VPN host which is connected to Company ... All Internet, email etc must go through Company ...
    (comp.security.firewalls)
  • Re: Using a Linksys router, should I also use Zonealarm?
    ... public internet to access corporate network. ... In the "old days" when people used to use Dial-In instead of VPN you ware ... protected by corporate Firewall -- since there was no public Internet ...
    (microsoft.public.security)
  • Re: Sometimes it works sometimes it doesnt (VPN data issues)
    ... NIC1 "Internet" is set to ... (the IP of the external firewall) and the DNS is set to ... A connection between the VPN server and the VPN client xxx.xxx.xxx.xxx ...
    (microsoft.public.windows.server.networking)
  • [fw-wiz] L2L VPN redundancy for T1 link
    ... VPN, without any routing protocol needed on the firewall. ... VPN rather than towards the internal network where the T1 router resides). ... Internet network, bypassing the firewall. ...
    (Firewall-Wizards)
  • Re: PPTP thru SUSEfirewall
    ... on the firewall itself and had quite a few firewall/routing tuning ... The firewall also has to let these packets in from the Internet ... something like "for VPN services that stop at the firewall". ... (assuming your internal server is 192.168.0.1) ...
    (alt.os.linux.suse)