Re: Public Addresses Used Internally

"Myrt in MT" <MyrtinMT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8AD6B93C-C470-4B4D-ACF8-35D6DBF120FA@xxxxxxxxxxxxxxxx
I agree. But I have a client who has been using public addresses behind a
firewall and I am looking for arguments that I can use to convince him to
change.


To reply to your initial question, the answer depends on the
quality of the firewall (i.e. what it allows).

Reasons

1. pay less for fewer IPs

2. barriers implaced / risks assumed vs. gains / costs analysis

With private IPs access must be NATed or from compromised
system on internal network (again, inplying a NATing)
With public IPs access must only route into internal network
(which imples higher quality requirement on net admins = cost)
So there _may_ be reduced barriers, heightened risks
There is increased cost with holding the public IPs, admin quaility
So, what is the offsetting gain ?

3. Predetermined size limit on address space
This might need to be addressed if growth presses the limit
This resticts what could be done to segment internal network
into screened subnets, or even just groupings of machines by
subnets, as a construct in partitioning the internal network for
objects such as privacy compliance, etc.

4. no doubt others

All you probably need to do is outline item 1, as it is a
"why buy $2 pencils when $1/dozen pencils work fine"
sort of biz manager decision.


"Mark Randall" wrote:

Just don't...

Unless you are using something like DHCP in which case I doubt we would
be
having this conversation, don't use public addresses, use private ones -
thats what they are there for.

--
- Mark Randall
http://www.temporal-solutions.co.uk
http://www.awportals.com

"Myrt in MT" <MyrtinMT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:367D3FCE-57FA-4B9C-A88F-BFC811B2F94C@xxxxxxxxxxxxxxxx
What would be the vulnerabilities, issues, problems etc, of using
public
addresses on an internal network behind a firewall?





.

Relevant Pages

  • Re: Public Addresses Used Internally
    ... They have a public IP on the external interface of their firewall assigned ... by their ISP and statically assigned IP's on the internal network. ... With public IPs access must only route into internal network ... There is increased cost with holding the public IPs, ...
    (microsoft.public.security)
  • Re: Inline firewalls vs. Inline firewalls "spaced out"
    ... You internal network should only be able to talk outwards, ... the first design. ... a third firewall has to be compromised. ... > greater security to your web boxes than the first design. ...
    (Security-Basics)
  • RE: Proxy & Firewall Implementation
    ... Put a firewall between your internal network and the DMZ which allows ... DMZ servers to the gills. ...
    (Security-Basics)
  • Re: Firewall Design
    ... > The etherswitch from the router will have the Firewall and my Web ... and the second is connected to another switch on the LAN. ... Your DMZ systems should be publicly accessible, ... filtering in front of your DMZ systems, as well as your internal network. ...
    (comp.security.firewalls)
  • Re: Setting up SBS 2000 w/SonicWall Firewall VPN, Need help.
    ... SBS or the internal network? ... If you have two nics and are using SBS ... I would guess again that with a single nic server that the ... >the firewall. ...
    (microsoft.public.backoffice.smallbiz2000)