internal ip address

Glenn Steen glenn.steen at gmail.com
Thu Feb 7 09:39:49 GMT 2008 

On 06/02/2008, Matt Kettler <mkettler at evi-inc.com> wrote:
> Hugo van der Kooij wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Denis Beauchemin wrote:
> > | Alex,
> > |
> > | The IP addresses you use are non-routable.  That means nobody can access
> > | your computers from the internet because no router will allow them.  So
> > | don't worry about the whole world knowing about your internal IP
> > addresses.
> >
> > Those were my thoughts exactly.
>
> Being non-routable helps you from a perspective of hackers using the information
> to directly break in to your network. However, an attacker probably knows all of
> your routable IPs anyway, so really that's not the threat vector.
>
> The problem, in some situations, is the information exposed can still be used
> for other purposes. ie: studying the network structure so they know where to go
> once they get in via some other method. By googling around for postings on email
> list archives, you can often generate a lot of information about the network
> structure. Such information can also be used to aid social engineering attacks
> by figuring out who works with who.
>
> Of course, this isn't exactly a "hardcore" risk factor like an open dialin, but
> it is information that an attacker can make use of. Whether that matters to your
> situation or not depends on your threat model, but anyone who sees it as
> presenting no risk at all is clearly mistaken. (ie: just because it is a trivial
> risk in the network of an ad agency, does not mean it's trivial in a financial
> organization where social engineering attacks are more likely.)
>
Actually.... Since I do work in a .gov-ish financial organization....
I'd have to say I don't agree. Some VERY LARGE financial organizations
have pretty shoddy network teams though, and in their cases... it
really is relevant. You just can't make that generalization. For the
vast majority of organizations, this is a very minor threat, not worth
breaking RFC...
I'm not saying you're wrong, just that it is ... really minor...
compared to a lot of other email-related threats:-)... Yes, you can
counter with "your generalization is bigger than mine"... I know I do
it too...:-)

On the whole, I see very little _real possibility_ of damages from this.
It is a leakage, yes.... but negligible in most cases. that's MHO ate least:-).

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list