Re: 192.168 - why?

On Jul 26, 5:20 pm, Joe Pfeiffer <pfeif...@xxxxxxxxxxx> wrote:

David Schwartz <dav...@xxxxxxxxxxxxx> writes:

On Jul 25, 9:10 pm, Joe Pfeiffer <pfeif...@xxxxxxxxxxx> wrote:

True, but they're in a league where the reason to use non-routable IP
addresses is to limit external access -- another, very valid, reason.

I don't think so. It's too easy for one machine somewhere to be
compromised, allowing someone to proxy to any internal address. You
can't let one compromise turn into hundreds anyway. I honestly think
this is one of the worst arguments for using non-routable addresses.

You're giving the argument for no machines to be externally visible at
all.  If you've got to have outside access, only allow it to a few,
tightly controlled machines.

No, I'm giving the argument for the protection to not be the non-
routability of the IP addresses but the security of the machines. You
can't count on non-routability ensuring the machines aren't
accessible.

I'm saying if your machines are secured properly, they are only
slightly more secure on unroutable addresses. And if they're not
secure, putting them on unroutable addresses won't make them secure.

If you count on unroutable addresses to make your machines secure, you
have a "one weak link compromises all" system. All that has to happen
is someone somehow compromises one inside machine and an attacker can
get around the unroutability of *all* machines. This compromise can be
any of a large number of things, including software on a "demo CD"
that someone runs on a machine they don't particularly care about and
that you put on your unroutable addresses because you don't trust it.

You can't have it both ways. You can't say "I'll dump all my untrusted
machines on my inside network so I don't have to really secure them
properly" and "I'll put my most important stuff that I really need to
be secure on my inside network because nobody can get to it".

You don't store your gold in the sewer.

DS
.

Relevant Pages

  • Re: Scanning a Mapped Drive on a LAN
    ... I don't trust my ability to avoid conflic on the mapped drive. ... >> concern with as a simple home LAN user with my machines behind a router. ... > feel very secure using it. ... > butt when it comes to sites that can compromise your system. ...
    (alt.computer.security)
  • Re: compromised machines
    ... It wouldn't surprise me if they were running bots, ... Agobot, Polybot or Spybot, which compromise computers. ... If they crack a multi user computer (Windows 2000 Server comes to mind), ... Subject: compromised machines ...
    (Incidents)
  • Re: OT - Got broadband?
    ... and the bevy of compromised machines that are currently ... lot of the spam. ... Those machines are then used to compromise yet more machines, ... are set up to watch ISP channels for encrypted sets of instructions, ...
    (rec.crafts.metalworking)
  • Re: SSHD revelaing too much information.
    ... hundreds of machines and really don't see this as a problem. ... The 'green' banner does not attract any ... This goes against my security ... > networks) then make sure you're running a known secure version. ...
    (FreeBSD-Security)
  • Re: Just how real is the security risk from loopholes
    ... but I know what a newbie wants. ... But it was more secure!! ... > compromise you can no longer trust your data. ... > awareness of security issues, can install patches and have sollicited the ...
    (comp.os.linux.security)