I recently got copied in to a vulnerability assessment report conducted from the outside by a 3rd party company. They were given 2 IP ranges, one seems to be live systems, i.e. mail systems, citrix, website and web apps, and the second range were just called "disaster recovery systems". Why would you have public facing IP range relating to a companies disaster recovery? What purpose would these serve and why would they be open to the public (i.e. public facing)? Would every company have public facing systems that relate to disaster recovery, if so why? I know its "company specific" but I just wondered why any company would have such.