On Sun, Mar 17, 2002 at 06:06:48PM -0800, Harry Putnam wrote:
> It seems one would want to limit exsposer of local private addresses for
> security reasons too... yes?
No. This is of dubious benefit to security, and exposing them is of almost
negligible detriment. Unless, of course, you are foolish, and your entire
security model is in using private network addresses.
If you want security, then you probably want to be firewalling at your
border (as well as your NAT), so that you know what can possibly have
come from where inside your trusted network. If you are relying on hiding
the information, then you will lose.
This, of course, is similar to the snake oil security on outward-facing
machines that is becoming a trend these days, of not having the relevant
PTR record. Some companies even feel this is necessary on their mail
relays, where they'll say EHLO with the relevant domain name anyway. If
they feel they get security by not having pointer records to
nt-outbound-mail-1.company.com then the answer is Don't Do That Then. In
this world of security and snake oil the lack of ability to distinguish
between the two is disturbing.
Anyway, I've had my rant now. :-)
The answer is, no it doesn't decrease security to expose private addresses,
unless you're a complete fool.
MBM
--
Matthew Byng-Maddick <mbm@???> http://colondot.net/
