> having a private ip = definately not publicly reachable.
> having a public ip = possibly reachable, depending on what other devices can be compromised on the network.
Lateral movement is hacking 101. Private IPs don't provide any security.
Got a webserver open to the internet and a database server on a private IP only accessible to the web server? Guess how you get to the database server?
You seem to be continually conflating something having a public IP address and it being open to the internet raw dogging it. This is not how things work.
good job all the networks cables are glued in and no one ever plugged a cable into the wrong port, or doing so might result in all the devices behind that firewall getting exposed directly to the internet and no one noticing because everything still works.
but Im done burning karma on this one, good luck have fun.
> good job all the networks cables are glued in and no one ever plugged a cable into the wrong port, or doing so might result in all the devices behind that firewall getting exposed directly to the internet and no one noticing because everything still works.
So just put your database server on an IPv6 ULA (which is not globally routable)? There are other benefits to that, too, you know? Like that you can have a completely static address for the server, which is agnostic to whatever IPv6 prefix gets assigned by your upstream provider.
did the unpaid intern do that before or after the insecure database server accidentally got given a public ip address?
did they also check and update that old office use only IIS server no one uses before the department all got public ips, or wasn't there a lunch budget for that.
Good job not even attempting to secure your office switch ports with whitelisted MACs or whatever, then.
And if you then argue that MACs can be spoofed easily, well, you'd have to get the MAC of the authorised system first. And by that time you've physically broken into the building - you have worse problems than a rogue device or two...
>having a private ip = definately not publicly reachable.
What component of your router prevents a packet with destination IP 192.168.1.2 arriving on the WAN interface from crossing over to the LAN interface and reaching a LAN machine with that IP? Hint: It's the same one that prevents IPv6 packets from making that same crossing.
nothing stops 192.168.1 crossing a wan interface, in fact I and most of the internet rely on being able to do exactly that, the router just needs an appropriate route in its routing table.
set router to an allowlist configuration... and you're done. it's your "NAT" security but without terribleness. some (consumer/smb) routers even come this way out of the box to prevent exactly what you mention
add a software router to the network that hands out public ips to all the devices on the network.
or better, just accidentally switch a cable over from the router to the routers switch, see if anyone notices their private ips all became public ones.
if we're branching in to 'what other devices can be compromised' then that's a concern for any network 'private' IP or not. for example, even on a NATted v4 network if you get the right device (say if it's 'port forwarded', or you get malware on it another way (social engineering) you can pivot that way to another point in the network.
you can supply all the ACLs and firewalling to your heart's content on either private or public, it's just that public addresses have a heck of a lot less shitfuckery when you actually want to do useful things across the internet
if by "heck of a lot less shitfuckery" you mean "makes it a lot easier to exfiltrate all the data on a network" I completely agree, that was pretty much my point.
You seem to fail to grasp that it is the statefulness of NAT that provides security, not the private/public IP distinction. The same statefulness can be obtained by using... surprise, surprise, a stateful firewall. :-D
It is helpful to imagine NAT as a stateful firewall with packet modifying capabilities. Because that's what it is.
If your ISP is doing CGNAT, try pinging random 100.64.0.0/10 addresses. Marvel at the number of pongs you can receive. Hell, we even have online threads talking about this, so it can't be just my ISP being incompetent [0].
having a public ip = possibly reachable, depending on what other devices can be compromised on the network.
given the number of government machines already that participate in the various ddns botnets moving to that second one is going to be a lot of fun
at the very least all the cnc servers can move local.