> I wouldn’t want a public ip for all the devices and computers on my home network either. Seems like a huge security risk.
The real security risk is thinking that just because you have an internal RFC 1918 address space your security has improved.
It's been a decade+ since a firewall being considered a castle/moat of security being best practice. Any IT person that thinks that if they see a device with an 10/8 (or 172.16/12 or 192.168/16) IP and think you're safe you should be fired: it's lazy thinking.
At least if you had a GUA address it would force you to pay more attention to the rest of your security controls. Just recently a co-worker retired some systems that were accessible to the outside via DNAT—but forget to clean up the firewall rules. So he then—for some fucking stupid reason—decided to re-use those same IPs, even though we had so many fucking other IPs available, and one of the boxes got compromised because it happened to have a simple, guessable password on the initial image install.
alt Hacker News
> I wouldn’t want a public ip for all the devices and computers on my home network either. Seems like a huge security risk.
The real security risk is thinking that just because you have an internal RFC 1918 address space your security has improved.
It's been a decade+ since a firewall being considered a castle/moat of security being best practice. Any IT person that thinks that if they see a device with an 10/8 (or 172.16/12 or 192.168/16) IP and think you're safe you should be fired: it's lazy thinking.
At least if you had a GUA address it would force you to pay more attention to the rest of your security controls. Just recently a co-worker retired some systems that were accessible to the outside via DNAT—but forget to clean up the firewall rules. So he then—for some fucking stupid reason—decided to re-use those same IPs, even though we had so many fucking other IPs available, and one of the boxes got compromised because it happened to have a simple, guessable password on the initial image install.