[unisog] Public or Private IP addresses?

Vijay S Sarvepalli VSSARVEP VSSARVEP at uncg.edu
Fri Oct 14 12:59:26 GMT 2005


Dont forget you can also do "one-to-one NAT" to avoid some of the 
concerns.
For e.g. the whole block of
7.11.*.* (outside) <=> 10.11.*.* (private)

I like private addressing especially for RESNET.  Your mileage and others 
input might
vary.
Even some large ISP's like Cincinnati Bell with their ADSL solution 
provite private
addresses?








gentuxx <gentuxx at gmail.com> 
Sent by: unisog-bounces at lists.sans.org
10/14/2005 02:04 AM
Please respond to
gentuxx at gmail.com; Please respond to
UNIversity Security Operations Group <unisog at lists.sans.org>


To
UNIversity Security Operations Group <unisog at lists.sans.org>
cc

Subject
Re: [unisog] Public or Private IP addresses?






-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Genung wrote:

>Cosmin,
>
>At 05:43 PM 10/13/2005, Stejerean, Cosmin wrote:
>
>>I am wondering how the network is setup at other universities and what
>>people on the list think about advantages and disadvantages of picking 
one
>>over the other.
>
>
>We have used private address space at Illinois State for a number of 
years.
>About 12K addresses we have in use today reside in 10. addressing. There
>are over 17K devices that currently connect to our campus network.
>
>We have a class B address space and migrated to private addressing many
>years ago (mid to late 90's) initially to support our migration from 
token
>ring to switched ethernet technologies. Today, we use it within our 
client
>side networks (residence halls, wireless, public jacks, etc).
>
>Using this model, we perform address translation at the edge of our 
network
>within the WAN. We use our public address space to support systems that
>need public addressability such as web and email servers and then reserve
>about 50 /24 subnets for address translation using NAT (a single public 
IP
>address is dynamically mapped to a single private address if an 
off-campus
>connection is established).
>
>Initially used to augment our public address space, we found that using
>private addressing greatly simplified our perimeter firewall policies. If
>the on-campus source address resides in private address space (ie: 10.), 
we
>use policy routing to direct this traffic to a firewall. If the source
>resides within public address space, this traffic bypasses the perimeter
>firewalls. Inbound traffic is directed to the firewalls based upon the
>translated address space. All traffic directed to translated addresses 
are
>inspected for state and then block traffic for which no state exists. 
This
>has been a very effective approach to blocking external reconnaissance
>activities.
>
>We also use the 172.16. address space for systems that need to reside in
>private address space for which we do not want NAT. This address space is
>used by systems that do not need to be reached from off-campus (without a
>VPN client).
>
>At this point, the only application that we've encountered problems with
>private addressing has been video conferencing. In this case, we have 
been
>testing a gateway product that advertises a single public IP address. To
>dial inbound to campus to one of these endpoints, you would dial the 
public
>address associated with the gateway along with an h.164 extension. We 
have
>not had problems with video conferencing applications originating from an
>h.323 endpoint residing in private address space.
>
>>Regards,
>>
>>Cosmin Stejerean
>>
>>
>>
>>
>>_______________________________________________
>>unisog mailing list
>>unisog at lists.sans.org
>>http://www.dshield.org/mailman/listinfo/unisog
>
>
>
>Scott Genung
>Manager of Networking Systems
>Telecommunications and Networking
>Illinois State University
>124 Julian Hall
>Normal, IL 61790-3500
>
>sagenung at ilstu.edu
>Phone: (309)438-7258
>Web: http://www.telecom.ilstu.edu
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>
FWIW, I came from an organization that was predominantly RFC1918
addressed.  Now I'm working in an environment that is predominantly
public addressed.  It is a complete culture shock.  Also, I'm a
security guy.  I know security systems, not networks ( I know
networks, but you know.....not like a true network guru).  Anyway, I
believe that Scott's situation is very sound.  IMHO, "private"
addressing should be kept private.  "Public" addressing should be kept
public.  It's really as simple as that.

In regards to your original question, I can't really speak to the
actual configuration of the respective networks I've dealt with, but I
think that being able to intelligently combine both public and private
IP spaces allows you to benefit from the advantages of both, while
minimizining the disadvantages of each.

HTH

- --
gentux
echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40  9795 2D81 924A
6996 0993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDT0p7LYGSSmmWCZMRAqLdAJ9L6k0I1aj2rILjj2SSW9VHrlOqyQCgjF/T
GSsKYn/vrWuYWRqdFh72SvU=
=0Pnl
-----END PGP SIGNATURE-----

_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20051014/66bbec5b/attachment-0001.htm


More information about the unisog mailing list