North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: RFC1918 addresses to permit in for VPN?
On Sat, 30 Dec 2000, Bill Fumerola wrote: > On Fri, Dec 29, 2000 at 04:19:23PM -0500, Deron J. Ringen wrote: > > > That makes perfect sense to me...there is not a better way to protect a box > > from a DOS/hack than to only give it a private address. Why expose a box > > to the outside world if there is not a need??? > > For exactly this reason, people start to use the reserved address > space as a security feature and think "welp, its safe now!". That should be more correctly stated as "what more simplistic but guarantee of nothing method".., Just remember it only takes one public exploited linux or solaris box on your network, and suddenly all that 1918 space is fair game again. If you have put all your eggs in this one basket and havn't bothered to take care of the rest of your responsabilities, you could quickly find yourself getting bit hard. Straight layer 2 switches provide little protection from someone worming their way through your network, since arp toys like http://www.monkey.org/~dugsong/dsniff/ and dozens of others are now publicly available to script kiddies. I place this in the same category as those who blindly put their faith in the security of ssh, without stopping to think how possible is it that these ssh bins have been backdoored and are logging my passwords and/or connections. This is particularly funny in the terminal room of certain conferences, and the number of people I saw blindly ssh'ing from boxes with no root password at nanog 19 still never ceases to amaze me. -- Richard A Steenbergen <[email protected]> http://www.e-gerbil.net/humble PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)