Home page logo

basics logo Security Basics mailing list archives

Re: Company Firewall's IP Address
From: "David J. Bianco" <bianco () jlab org>
Date: 13 Nov 2002 16:26:13 -0500

On Tue, 2002-11-12 at 17:09, tony tony wrote:
I was doing security research on the internet at work yesterday....when all of
a sudden I got a pop up advertisement that stated that I was broadcasting my IP
address to the entire internet.  It then showed a screen with my IP address
which was the the external IP interface of one of our companies firewalls. 

It just bothers me that someone would be able to determine the IP address of
our firewall that easily.  It seems to me that our firewall should operate in a
more stealth mode.  Our firewall administrator said it is not technically
possible to do this.  What is your take?I am not a checkpoint firewall guruso
I do not know.   All I know is that if I was a hacker, I would love to hammer
away on an ip address that represented a firewall. 

Your firewall administrator is right.  There's no way around providing a
valid IP address.  When you communicate with another computer over any 
network, including the Internet, you've got to include not only the IP
address of that other computer, but also your own.  After all, when the
remote computer replies to you, it needs to know where to send those 

Having said that, you generally have two choices about *what* IP address
to give.  If you have a very simplistic firewall, it will expose all 
internal addresses to the Internet. In other words, when your internal
machine makes a connection outside the firewall, the servers will see
your machine's real IP address.  Since this gives them some amount of
information about the layout of your internal network, this is generally
considered poor form. 

What usually happens is that the firewall rewrites your IP address and
substitutes its own.  The remote servers see the connection apparently
coming from the firewall machine, and they reply to that address.  The
firewall is smart enough to forward these replies to your machine, so 
your machine thinks it is communicating with the server directly, even
though the firewall is actually acting as a middle man.  This process,
known as Network Address Translation (NAT), is quite common and usually
desirable.  It's better to advertise a single IP than all the IP 
addresses on your network, and since the IP address must be valid, the
hardened firewall system is actually a really good choice.


David J. Bianco <bianco () jlab org>
Thomas Jefferson National Accelerator Facility

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]