[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Might be off topic. Are computers with 16 8.192.x.x safe from Internet?
- Subject: RE: [cobalt-security] Might be off topic. Are computers with 16 8.192.x.x safe from Internet?
- From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
- Date: Mon, 4 Jun 2001 12:58:12 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
shimi wrote:
> As I posted before... read the wording of the RFC (I didn't
> read it now, but i'm pretty sure what it says) - SHOULDN'T
> be routed.
and then...
> Internet. It's just that the ones who "made the internet" decided
> that SOME blocks will be for partial use. If people configure
> their router to drop packets for 192.168.* is THEIR decision.
> The Internet WILL route these packets if the routers in the middle
> allows so...
'the ones who "made the internet"' just happens to be the Internet Assigned
Numbers Authority, in this case, who "decided" in 1996 (RFC1918 which
obsoleted the previous RFCs, 1597 and 1627 - from 1994) that certain IP
networks were to be defined for PRIVATE use.
These networks were defined to be for use in environments which needed IP,
but did *not* need to be connected to the Internet; hence private networks.
Corporate LANs, WANs and other global networks which are isolated - or
masqueraded - from the global Internet fit into this category, as do your
local lab testing network or the network you run for your Quake party in the
outhouse :)
The following networks are defined as 'private':
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
These spaces can be used for any purpose without referring to a local
internet registry or IANA. And here's the important bit in this context:
"Because private addresses have no global meaning, routing information about
private networks shall not be propagated on inter-enterprise links, and
packets with private source or destination addresses
should not be forwarded across such links. Routers in networks not using
private address space, especially those of Internet service providers, are
expected to be configured to reject (filter out)
routing information about private networks. If such a router receives such
information the rejection shall not be treated as a routing protocol error."
So you should never ever see private space being routed over a public
network[0].
Back to the point: if you number a bunch of machines to use private address
space, they should either (a) be physically separated from the public space
or connected via a NAT or masquerading system. If they share the same *wire*
as a public space, then they may be vulnerable to remote attacks *if and
only if* the attacker knows they are there.
In other word, if you have a bunch of private machines happily talking to
each other but sharing the same wire as some public space, and someone works
out that they are there, it is possible to carry out a spoofed-blind attack
against those machines. The attacker might not ever see the results... but
you might :(
Rule-of-thumb: always put private networks behind a masquerading or NAT
firewall (whether it be commercial or, say, a Linux box running IPChains).
That way you never run the risk of leaking your local, private traffic out
onto the wider network. And no-one else knows you're there, either :)
Graeme
--
Graeme Fowler
Systems Administrator
Host Europe Group plc