RFC1918 addresses to permit in for VPN?

In the referenced message, Deron J. Ringen said:

> Using RFC1918 space also gets you an IP range where the outside world has
> no route to it -- Sorry, but no packets are not getting there, ergo no way
> to hack.
.
.
> At that point, just by use of simple routing, you've effectively
> eliminated 100% of attacks from the outside, and you only have to worry
> about inside. The front door is secure, now work on the back door.
>
I know that this thread as escalated unrestrained, however this is the
original point that I attempted to make.

...djr...

LSR not withstanding, anyone directly connected to you can devise
their own routing via static routes. Anyone on your own network
doesn't need to (assuming their defaulted.) rfc1918 is merely an illusion.
If you're taking care of the "inside", you've already added the security
which rfc1918 isn't providing. This is the point that I believe many others
are trying to make. Security through obscurity is no security at all.

Stephen

<snip>

are trying to make. Security through obscurity is no security at all.

All other points in this monstrous thread aside, this one is wholly
incorrect. Security through obscurity is nothing to depend on, but every
little bit helps.

Please, by all means, use a firewall, preferably several chained in an
old-fashioned bastion design. Use access lists - they're your
friend! Filter your routes, filter all packets not going to a valid
IP/port, hell block ping and traceroute so nobody can map your network,
and of course secure your servers.

But when all that's done -- still don't advertise. Security through
obscurity helps just that tiny extra bit. At the very least there will be
less logs to pore over, 'cause script kiddies don't know who you are.