If you ask a networking person what a private (IP-)address is, you get one answer: An IP address which is not routable on the internet. There are some IP ranges which have been set aside for use in private networks and won’t work on the internet. For this reason they are sometimes referred to as “non-routable addresses”. Which is why they tend to be used in movies. Type them into your browser and nothing happens. Unless you are in a local network which have routes for them. Emphasis on local. Addresses that start with “10.” and “192.168.” are the most commonly used, and there are a few others as well. Architects tend to think a private address is one that you own.
But what is a public IP address ? That very much depends on who you ask. Network people will say it is it is an address which in not private. An IT architect will say it is an address which is accessible from outside your network. Security would say one which the public can access.
In some sense they are all correct, and that is why the issue is so confused. Because over all of this reigns security. And more particularly secrecy. There are far too many in the IT business who equate security and secrecy. To be sure the two are not opposing concepts for the most part but they intersect only intermittently – and not often. Some think IP security is mainly about secrecy. If the enemy does not know an address, he can’t attack it.
Ah, would that that were so. This is why the difference between public and private is so important. If an architect thinks that a public address is one that other people know about and a private address is one that is secret, the architect might want to keep the address information secret. Only distributed in secure communication; kept in password protected files and in secure document stores etc.
But how secret can an externally accessible IP address really be.
It is illustrative to think in term of physical addresses: A person lives on a secure address. But the house is still there; Numbered sequentially as you like; and the street is public. Anyone can drive to the house at any time. How secure is that? Let’s further suppose that those looking for the occupant of the secure address know that the house has been provided by a company that owns a particular street (public IP range discoverable in DNS). It is a fair guess that the right house is on that street. What does that do to security? If the house is a fortress, it doesn’t matter. But if you base your house security on it being undiscoverable, nothing good.
NAT-ing does nothing useful here. It is like having all your mail sent to the post office and have the post office forward it to your house. Someone can still mail you a remotely detonated bomb (malware). The post office will forward it just the same. (wait a day; trigger it; look for smoke; and you have the right house)
But there is another way: A private road (non-routable/private addresses) cut off from the public road system; you have to be authorized and be lifted in. That is a secure address. Not a full replacement for security at the address of course – you still lock the doors – but the address information is secure as in scanning will not discover it. No looking inside mailboxes on a street you can’t get to.
How to achieve this happy state of affairs. Enter the muddle.
Virtual Private Networks. With “private” here referring both to private addresses as defined above (non-routable) and as in you own it. VPNs are sometimes referred to as encrypted tunnels. Typically based on IPSec but there are other possibilities. Any IP address can be used in a VPN but using a VPN you can have your non-routable “10-dot” address be accessible from anywhere, even over the internet.
And this is done. What strikes me as peculiar is when VPN is used with public/routable addresses. The address is still discoverable, because it is public and no amount of secrecy will change that. The house is on a public street – no matter that the occupant is not listed in the phone book and has his mail sent to the post office. It will be a part of a range that has some other member of it in a public DNS. Therefore it is discoverable through scanning. This is also why services should not run on default ports. And all services running on default port should be disabled as far as possible. Knowing an IP is only half the battle, you still need the right port if you are going to attack something.
Add VPN to the public address and unknown traffic will be prevented from reaching it. Which negates any need to keep it secret – not that you could even if you wanted too. Which leaves no role for secrecy when it comes to IP addresses.
Why even use a public address if you are going to use VPN? They are neither free nor plentiful. Well, you shouldn’t. But if you do, it must be for reasons of convenience. They are unique after all. There is no need to agree a private/non-routable address with the counterparty so as not to cause a conflict with something else in their network. Adding NAT-ing here is just silly as it simply adds confusion and does nothing for security. With one exception: if there is a failure to agree on a single mutually acceptable private address among multiple parties. If there is a hold out, there might have to be NAT-ing between that party and the others.
No, a VPN tunnel should be from one private, non-routable address to another. Not that this needs to be point-to-point. You can route all kinds of traffic though a single VPN tunnel. Your routing tables control that.
Server A has address 10.1.0.10 and sends traffic to Server B at 10.2.0.10 over a VPN. And vice versa. They belong to two separate organization and separate private networks.
The VPN tunnel has openings 10.1.0.1 and 10.2.0.1 respectively. Server A routes traffic bound for 10.2.0.10, to 10.1.0.1. Server B routes traffic bound for 10.1.0.10, to 10.2.0.1.
All of these addresses could be freely published and it would do any external attacker no good at all. Security without secrecy.