[unisog] Public or Private IP addresses?
Ryan.Dorman at millersville.edu
Fri Oct 14 14:01:26 GMT 2005
As others have mentioned this debate is neither new or over. I am usually
found in the "tin-foil hat packet wonk" camp believing that as little
munging that is done to packets the best. NAT is not a security plan it is
a plan for getting us out of the hell that classful addressing left us in.
Now, I'm a little biased as we were a school what got a swamp class C and
then a full class B, so this does allow me to be a little more cavalier
about IP addressing. In general tho I think its best to be as public as
possible with IP's. If you are using private addressing as a security
measure then there are other steps you haven't taken to protects your net's
Ryan Dorman, CCNP
Network Engineering Specialist
On 10/14/05 2:04 AM, "gentuxx" <gentuxx at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Scott Genung wrote:
>> At 05:43 PM 10/13/2005, Stejerean, Cosmin wrote:
>>> I am wondering how the network is setup at other universities and what
>>> people on the list think about advantages and disadvantages of picking one
>>> over the other.
>> We have used private address space at Illinois State for a number of years.
>> About 12K addresses we have in use today reside in 10. addressing. There
>> are over 17K devices that currently connect to our campus network.
>> We have a class B address space and migrated to private addressing many
>> years ago (mid to late 90's) initially to support our migration from token
>> ring to switched ethernet technologies. Today, we use it within our client
>> side networks (residence halls, wireless, public jacks, etc).
>> Using this model, we perform address translation at the edge of our network
>> within the WAN. We use our public address space to support systems that
>> need public addressability such as web and email servers and then reserve
>> about 50 /24 subnets for address translation using NAT (a single public IP
>> address is dynamically mapped to a single private address if an off-campus
>> connection is established).
>> Initially used to augment our public address space, we found that using
>> private addressing greatly simplified our perimeter firewall policies. If
>> the on-campus source address resides in private address space (ie: 10.), we
>> use policy routing to direct this traffic to a firewall. If the source
>> resides within public address space, this traffic bypasses the perimeter
>> firewalls. Inbound traffic is directed to the firewalls based upon the
>> translated address space. All traffic directed to translated addresses are
>> inspected for state and then block traffic for which no state exists. This
>> has been a very effective approach to blocking external reconnaissance
>> We also use the 172.16. address space for systems that need to reside in
>> private address space for which we do not want NAT. This address space is
>> used by systems that do not need to be reached from off-campus (without a
>> VPN client).
>> At this point, the only application that we've encountered problems with
>> private addressing has been video conferencing. In this case, we have been
>> testing a gateway product that advertises a single public IP address. To
>> dial inbound to campus to one of these endpoints, you would dial the public
>> address associated with the gateway along with an h.164 extension. We have
>> not had problems with video conferencing applications originating from an
>> h.323 endpoint residing in private address space.
>>> Cosmin Stejerean
>>> unisog mailing list
>>> unisog at lists.sans.org
>> Scott Genung
>> Manager of Networking Systems
>> Telecommunications and Networking
>> Illinois State University
>> 124 Julian Hall
>> Normal, IL 61790-3500
>> sagenung at ilstu.edu
>> Phone: (309)438-7258
>> Web: http://www.telecom.ilstu.edu
>> unisog mailing list
>> unisog at lists.sans.org
> FWIW, I came from an organization that was predominantly RFC1918
> addressed. Now I'm working in an environment that is predominantly
> public addressed. It is a complete culture shock. Also, I'm a
> security guy. I know security systems, not networks ( I know
> networks, but you know.....not like a true network guru). Anyway, I
> believe that Scott's situation is very sound. IMHO, "private"
> addressing should be kept private. "Public" addressing should be kept
> public. It's really as simple as that.
> In regards to your original question, I can't really speak to the
> actual configuration of the respective networks I've dealt with, but I
> think that being able to intelligently combine both public and private
> IP spaces allows you to benefit from the advantages of both, while
> minimizining the disadvantages of each.
> - --
> echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
> gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40 9795 2D81 924A
> 6996 0993
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> -----END PGP SIGNATURE-----
> unisog mailing list
> unisog at lists.sans.org
More information about the unisog