Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Results: Public vs. Private IP Address Survey
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Tue, 9 Oct 2012 08:29:10 -0700


I am interested in hearing about your conclusions from this data? What was your intent in collecting this information 
and what have you gained from it?

Brian Basgen
Assistant Vice Chancellor for IT (Acting)
Pima Community College
Office: 520-206-4809

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carr, 
Michael G
Sent: Monday, October 08, 2012 1:13 PM
Subject: [SECURITY] Results: Public vs. Private IP Address Survey

In late August, I developed a simple SurveyMonkey and asked a few questions about Private vs. Public IP Addresses (to 
see if any consistent thread could be gleaned.)  The responses follow:







Question 5 - If you have any College/Dept IT Mgrs, faculty or researchers who have insisted on keeping/maintaining 
public IP addresses, what were their reasons?

Other (responses)

*         No one has kept public IP addresses. All are NAT'd or PAT'd and managed by central IT.

*         Only our public facing servers have global IPs, reachable only from outside. Even such servers have private 
internal addresses for campus access.

*         They have had no need to ask. Private addresses are only used for our wireless network and special purpose 
sensitive networks such as point-of-sale, physical security infrastructure, and back-end servers in the data centers.

*         We have no issue with anyone keeping public IP addresses. We do not depend on RFC1918 addresses as a security 
layer. Perimeters are established via other mechanisms. We are deploying network virtualization for some administrative 
nets where units wish to have a more corporate-style network posture.

*         Note that 0% of internal machines have public IPs (i.e., static external IP setup on machine via Nat0) 
however we do NAT addresses out and we do have 1 for 1 statics on certain vlans so that we can track malicious 
activity. We know it is common practice for allot of colleges/universities to have Nat0 or no firewall(god forbid) but 
we feel every layer we can add is an extra boundry that can protect us. Transparency is important when it comes to 
accountability and as we move toward IPV6 we will see how important it really is. Hope this helps!

*         they have them and we never ask them to give them up.. everyone is on a public IP.. BUT they are not open 
inbound from the internet. except tcp port by port basis after full security audits. I only have about 100 addresses 
with inbound rules. on all of campus.

*         We use private addresses only when application/device security needs demand it.

*         Your premise that central IT is coaxing, cajoling or coercing our users to not have public IP addresses 
doesn't apply to us. We only "require" private IPs on printers and other strictly local devices like PCI-compliant 
workstations. Maybe we don't understand the risks/benefits and technology and are fear-based. (usu.edu)

*         The only things that have NON-public IP addresses are infrastructure things, e.g., switches, access points, 
surveillance cams, etc.

*         We have not tried to take them away. We have a Class B and have not ever bothered to renumber everything to a 
private IP space. We've talked about it, but honestly, it will probably never happen until we go to IPv6 (and we have 
no concrete plan to do that anytime soon either).

*         All of our IP addresses are currently public.

*         We have central IT, so there aren't College/Dept IT Mgrs.

Michael G. Carr, JD, CISSP, CIPP
Chief Information Security Officer
The University of Kentucky
122 James F. Hardymon Bldg
Lexington  KY  40506-0495
Desk: (859) 218-0306
Mobile: (513) 295-3067
Michael.Carr () UKy edu<mailto:Michael.Carr () UKy edu>



Security/Privacy Tip:  Never, ever email your SSN, credit card numbers or passwords.  Period.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]