Public or Private IPs internally

Silver Bullet

I was on a customer's site the other day and noticed that they are using publicly addressable IP addresses for their client PCs, Printers, Servers, everything internally.

Now, why would anyone want to spend that kind of money just on IP Addresses. WHY? WHY? WHY?

I wasn't there to survey the network, just to resolve a problem they were having. But I noticed this one client's IP Address and started looking around at the other devices in the general area and sure 'nuff, they are all using public ip addresses. Now, this is a medium size network that belongs to a publicly traded financial institution and I'm thinking whoever it was that designed that network should have known better. right? I mean really, why would one do this?

So I'm thinking that this may just be an isolated part of the network that is like this. Nope. It's not. I had to go to another of their sites and that site was as well.

Is there something I am missing or is there just this one particular reason that I'm not aware of that you would want ALL of your internal clients to have a public ip address?

sprkymrk

In the Army we do it that for a couple of reasons, but both have to do with security. The first is so that when accessing servers (such as web/ftp, etc.) servers belonging to the Army, the server will do a reverse lookup on the client to make sure it is coming from a .mil domain. If not, it will be denied access. However, simple NAT'ing will do that as well, as the reverse lookup for an army proxy/gateway/firewall or other NAT device will have a public IP that resolves to the .mil domain, right?

So the second reason is simply for granular security. Not every army client has access rights to every other army client/server. ACL's on Army Security Routers and firewalls are severly locked down. I might have 500 clients behind my firewall, but only 6 of them are allowed to access a particular server on another installation - so I have to submit the exception list to the remote firewall admin or NOC with a list of those 6 IP's.

Now NAT would be real hard to set up if I had to do that for every one of my clients that needed access to dozens of remote servers or vice versa. So unless the Army decides that all Army computers be allowed to access all Army servers we are stuck with public IP's on internal computers. However, with the exception of some mainframe stuff, all of our internal network printers use private IP's.

Silver Bullet wrote:

Now, why would anyone want to spend that kind of money just on IP Addresses. WHY? WHY? WHY?

Oh, the Army doesn't have to pay for IP's.

bighornsheep

That's not actually surprising to me, my school did that too...

blargoe

People sometimes misunderstand publicly addressable IP addresses to mean that the hosts using them are publicly accessible. As long as the standard best practices are followed for securing internal hosts from the Internet, it shouldn't be a problem.

I worked for a manufacturing company that used to be very large (60,000 employees I think) and dwindled to about 2,500 employees total by the time I became affiliated with them. When they were in their heyday they got a dedicated class B assigned to them and these addresses were used for all hosts. Of course by the time I got there it was total overkill.

mgeorge

Several corporations do this for security purposes. Many corporations I've worked with use public ip's internal devices but dont let this fool you, they are still behind several firewalls (typically Cisco ASA's)

sprkymrk

mgeorge27 wrote:

(typically Cisco ASA's)

Actually I believe Checkpoint still has far and away the largest market share on firewalls at about 48%. Cisco (with all VPN/Firewall products combined) has the largest revenue share. The PIX is still very widely deployed as well, probably more so than the ASA as yet, but I could be wrong.

larkspur

even a SP like verizon or At&t do it with MPLS. MPLS is a private network but if you look at the addresses they give you for CE\PE they do not fall under rfc 1918. Somethign to do with avoiding possible routing issues...

3. Private Address Space

The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

http://www.faqs.org/rfcs/rfc1918.html

JDMurray

If your entire LAN is segregated behind NAT routers then you can use whatever IP addressing scheme you want. The IPs will never make it out on to the public Internet.

Silver Bullet

I see your point JD. So they may not have purchased those IPs for the clients, rather they are using whatever they feel like. Then again they may have. The only problem I could see coming from them not purchasing them and using whatever they want is in an instance of when a client is trying to access an internet service on one of the IPs that is being used by one of the clients.

I am sure that while they are public addresses that the devices are not publicly accessible. I guess this is my first encounter of a network setup like this and it seemed odd.

Maybe I am the one misinformed

xwesleyxwillisx

So what happens when you try to access google.com and it just so happens one of your internal PCs is using the IP address your DNS server resolves? How do you know the public IPs you are assigning to your internal network do not overlap with addresses your clients may need to access?

ajs1976

I have run into that scenario before. What can happen is that a sales person form an ISP asks the client how many PCs they have. The client doesn't know any better and tells the sales person. Then I get on site to setup the network and the client already has a signed contract where they are being charged for x number of public IPs when they only need a couple or even just one.


I did run into one network that had public IPs and no firewall. Couldn't fix it right away because it was not 'broken', but got to about a year later when their file server was turned into a Warez server.

larkspur

I did run into one network that had public IPs and no firewall. Couldn't fix it right away because it was not 'broken', but got to about a year later when their file server was turned into a Warez server.

nice

sprkymrk

JDMurray wrote:

If your entire LAN is segregated behind NAT routers then you can use whatever IP addressing scheme you want. The IPs will never make it out on to the public Internet.

Not really - as some have pointed out if you use a public ip owned by someone else and one of your clients tries to access it, depending on whether you are using an internal or external DNS server you could end up at the wrong server. Additionally, if you run any servers that need to be accessable from outside your network it won't work.

Plus it's just plain silly when you can use one of the RFC 1918 addresses anyway.

JDMurray

sprkymrk wrote:

depending on whether you are using an internal or external DNS server you could end up at the wrong server.

If you are using external DNS servers to map internal hosts then your LAN isn't entirely private.

Ahriakin

Some firewalls (PIX/ASA for example) can Doctor DNS during NAT/PAT, essentially correcting the DNS replies with addresses that will work under your NAT scheme.

sprkymrk

JDMurray wrote:

sprkymrk wrote:

depending on whether you are using an internal or external DNS server you could end up at the wrong server.

If you are using external DNS servers to map internal hosts then your LAN isn't entirely private.

Oh, you never said "entirely private". You said "entire LAN segmented behind NAT routers". You can hide behind NAT routers and still query your ISP DNS servers for instance as one might do on a home, SOHO, or even a bigger LAN. You see the problems that could create I'm sure.

dtlokee

I can't wait for IPv6 to become widely deployed.

Many companies that want to use IPSec end to end (host to host as opposed to router to router or FW to FW over the Internet) will use public IP addresses on the inside hosts as well and configure the FW's and other security appliances to only allow ESP connection to the hosts.

rossonieri#1

well - thats an old public ip story.
you guys are correct btw, as long it doesnt go out from the proxy you'll be "safe".
but - you guys are correct also - about that "illegal POP" inside if you are not secure enough.
once - i did an entire network renumbering - anD ended up still using those public ips because we cant figuring out anymore which privates are left :P

cheers.

larkspur

I guess it comes down do doing the right thing. If you are in teh know then you know what not to do and teh right way to do it.

If your not then well ask someone for help.......

keatron

sprkymrk wrote:

Oh, the Army doesn't have to pay for IP's.

And even if they did have to pay for them, they have this bottomless pit known as their budget.

sprkymrk

keatron wrote:

sprkymrk wrote:

Oh, the Army doesn't have to pay for IP's.

And even if they did have to pay for them, they have this bottomless pit known as their budget.

Well yes, that's true too. But the "bottomless" money pit is only for hiring foreign nationals to clean our bases in Afganistan and Iraq and then wondering why all our thumbdrives and laptops end up for sale in the market square.