Re: Possibility of routing through internet with private IP address

[Ranjeet Shetye <ranjeet.shetye2 () zultys com>]

On Thu, 2003-10-16 at 09:00, e-bone wrote:
> Hi,
> We have the following VPN/Firewall setup:
>
> WAN -- T1 router -- netscreen(VPN) -- SonicWall(Firewall) -- LAN
>
> NAT takes place at the SonicWall.
>
> VPN tunnels from the WAN side end at the netscreen.
> VPN users receive a "virtual" IP address of 172.31.1.*,
> 172.31.2.* , etc ... 
>
> The SonicWall has rules allowing in these private address ranges.
>
> Now, the question ....
> My (doofus) boss seems to think that it is possible that somebody
> could come into our LAN from the WAN side with one of these private IP
> addresses ?
> I tend to think this is complete hogwash (or bollocks if you prefer).
>
> Is there anyway someone can route through the internet (WAN) with a
> private IP address, and have the packets routed back to them properly ?
>
> For the purposes of answering the question, disregard for the moment
> that we could set up the netscreen with policies requiring these private
> IP ranges to be tunneled .... my boss for some inexplicable reason
> has no faith in this device ... that is the whole reason we still
> have the SonicWall around too.
>
> Any tips, hints, or gibberish of any kind welcome.
>
> cheers,
> e
>
> ---------------------------------------------------------------------------
> FREE Whitepaper: Better Management for Network Security
>
> Looking for a better way to manage your IP security?
> Learn how Solsoft can help you:
> - Ensure robust IP security through policy-based management
> - Make firewall, VPN, and NAT rules interoperable across heterogeneous
> networks
> - Quickly respond to network events from a central console
>
> Download our FREE whitepaper at:
> http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
> ----------------------------------------------------------------------------

Routing and VPN are two seperate things.


Now, assuming you dont have any fancy stuff like any non-VPN IP in IP
tunnels etc.

1. Private IP addresses (amongst other types of IP addresses such as
ZERONET) will NOT be routed by any RFC 1918 compliant router.

IP in IP tunnels or SSH reverse tunnels will "break" this standard bcos
of the tunnelling - be aware of it.

2. I hope you have good packet filtering running cos people CAN use
tricks to make external packets appear as if they are internal packets
or make their packets look like a server response, and thereby elicit
responses OR lack of responses - any of which can yield useful
information to a cracker. (read up about rp_filter on linux).

3. Packets from private IP addresses can make their way into your
network only over the VPN and assuming VPN is secure (and maybe subject
to packet filtering rules after decryption), no other private IPs should
be visible.

1. and 3. are easy to prove. 2. - you need to do some reading to explain
yourself but mentioning it to PHB might give the genius even more skewed
ideas.

the IP-IP tunnels or reverse SSH tunnels are the hardest to track down
unless you're doing deep packet inspection - cos you can have all the
network level policies in the world and these tunnels will probably
bypass all such policies very easily.

-- 

Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely
those of the author. The message contents have not been reviewed or
approved by Zultys.



---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------