North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: RFC1918 addresses to permit in for VPN?

  • From: Richard A. Steenbergen
  • Date: Sat Dec 30 17:55:56 2000

On Sat, 30 Dec 2000, Bill Fumerola wrote:

> On Fri, Dec 29, 2000 at 04:19:23PM -0500, Deron J. Ringen wrote:
> > That makes perfect sense to me...there is not a better way to protect a box
> > from a DOS/hack than to only give it a private address.   Why expose a box
> > to the outside world if there is not a need???
> For exactly this reason, people start to use the reserved address
> space as a security feature and think "welp, its safe now!".

That should be more correctly stated as "what more simplistic but
guarantee of nothing method".., Just remember it only takes one public
exploited linux or solaris box on your network, and suddenly all that 1918
space is fair game again. If you have put all your eggs in this one basket
and havn't bothered to take care of the rest of your responsabilities, you
could quickly find yourself getting bit hard. Straight layer 2 switches
provide little protection from someone worming their way through your
network, since arp toys like and
dozens of others are now publicly available to script kiddies.

I place this in the same category as those who blindly put their faith in
the security of ssh, without stopping to think how possible is it that
these ssh bins have been backdoored and are logging my passwords and/or
connections. This is particularly funny in the terminal room of certain
conferences, and the number of people I saw blindly ssh'ing from boxes
with no root password at nanog 19 still never ceases to amaze me.

Richard A Steenbergen <[email protected]>
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)