[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Might be off topic. Are computers with 16 8.192.x.x safe from Internet?

Subject: RE: [cobalt-security] Might be off topic. Are computers with 16 8.192.x.x safe from Internet?
From: shimi <shimi@xxxxxxxxxxxxxxxx>
Date: Mon, 4 Jun 2001 06:55:31 -0700 (PDT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Mon, 4 Jun 2001, Graeme Fowler wrote:

> shimi wrote:
> > As I posted before... read the wording of the RFC (I didn't 
> > read it now, but i'm pretty sure what it says) - SHOULDN'T
> > be routed.
> 
> and then...
> > Internet. It's just that the ones who "made the internet" decided
> > that SOME blocks will be for partial use. If people configure 
> > their router to drop packets for 192.168.* is THEIR decision.
> > The Internet WILL route these packets if the routers in the middle
> > allows so...
> 
> 'the ones who "made the internet"' just happens to be the Internet Assigned
> Numbers Authority, in this case, who "decided" in 1996 (RFC1918 which
> obsoleted the previous RFCs, 1597 and 1627 - from 1994) that certain IP
> networks were to be defined for PRIVATE use.
> 
> These networks were defined to be for use in environments which needed IP,
> but did *not* need to be connected to the Internet; hence private networks.
> Corporate LANs, WANs and other global networks which are isolated - or
> masqueraded - from the global Internet fit into this category, as do your
> local lab testing network or the network you run for your Quake party in the
> outhouse :)
> 
> The following networks are defined as 'private':
> 
>      10.0.0.0        -   10.255.255.255  (10/8 prefix)
>      172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
>      192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
> 
> These spaces can be used for any purpose without referring to a local
> internet registry or IANA. And here's the important bit in this context:
> 
> "Because private addresses have no global meaning, routing information about
> private networks shall not be propagated on inter-enterprise links, and
> packets with private source or destination addresses
> should not be forwarded across such links. Routers in networks not using
> private address space, especially those of Internet service providers, are
> expected to be configured to reject (filter out)
> routing information about private networks. If such a router receives such
> information the rejection shall not be treated as a routing protocol error."
> 
> So you should never ever see private space being routed over a public
> network[0].
> 
> Back to the point: if you number a bunch of machines to use private address
> space, they should either (a) be physically separated from the public space
> or connected via a NAT or masquerading system. If they share the same *wire*
> as a public space, then they may be vulnerable to remote attacks *if and
> only if* the attacker knows they are there.
> 
> In other word, if you have a bunch of private machines happily talking to
> each other but sharing the same wire as some public space, and someone works
> out that they are there, it is possible to carry out a spoofed-blind attack
> against those machines. The attacker might not ever see the results... but
> you might :(
> 
> Rule-of-thumb: always put private networks behind a masquerading or NAT
> firewall (whether it be commercial or, say, a Linux box running IPChains).
> That way you never run the risk of leaking your local, private traffic out
> onto the wider network. And no-one else knows you're there, either :)
> 
> Graeme
> 
> -- 
> Graeme Fowler
> Systems Administrator
> Host Europe Group plc

All what you wrote is exactly what I wrote in that post, and in the
previous post of mine regarding this earlier (within last week or so)...

My point was that you use the correct term: "SHALL".

People shall not murder. But people DO murder. and that was my point.
Routers SHOULDN'T forward packets coming with dest address of a private
subnet, but what happens if the ISP has misconfigured it's routers?

There are routers that just forward whatever comes to them into the
switch, and don't tell me there aren't - I've seen such cases in the past.

If one has such thing, and the router at HIS location does not drop
packets with addresses allocated for private networks, one could make his
box route packets through the router, and then simply telnet 192.168.0.2
would work. Believe me, I tried it.

And that's what I told him...

he should have a linux box with the NICs, one to connected to the switch
that the router is connected to as well (and will be called eth0)
and one connected to the private network (and will be called eth1)

close all services on that box (ALL!), and have ipchains MASQ all packets
coming from eth1 to eth0 and he's totally protected (in my opinion, again)

- shimi.

References:
- RE: [cobalt-security] Might be off topic. Are computers with 16 8.192.x.x safe from Internet?
  - From: Graeme Fowler

Prev by Date: [cobalt-security] LAN/Internet Security questions
Next by Date: RE: [cobalt-security] LAN/Internet Security questions
Previous by thread: RE: [cobalt-security] Might be off topic. Are computers with 16 8.192.x.x safe from Internet?
Next by thread: RE: [cobalt-security] OT: Are computers with 192.168.x.x safe fro m Internet?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index