Home page logo

basics logo Security Basics mailing list archives

Re: Company Firewall's IP Address
From: John Jasen <jjasen1 () umbc edu>
Date: Wed, 13 Nov 2002 16:56:32 -0500

On Tue, 12 Nov 2002, tony tony wrote:

I was doing security research on the internet at work yesterday....when all of
a sudden I got a pop up advertisement that stated that I was broadcasting my IP
address to the entire internet.  It then showed a screen with my IP address
which was the the external IP interface of one of our companies firewalls.

It just bothers me that someone would be able to determine the IP address of
our firewall that easily.  It seems to me that our firewall should operate in a
more stealth mode.  Our firewall administrator said it is not technically
possible to do this.  What is your take??I am not a checkpoint firewall guru?so
I do not know.   All I know is that if I was a hacker, I would love to hammer
away on an ip address that represented a firewall.

Its basically hogwash.

Somewhere in the headers of most tcp/ip packets is a space for the source
IP address. This is a good thing, because thats how the protocols return
answers to you -- ie: you open a webpage, it sends back text and graphics;
you ssh into a box, you get text output, you ping (icmp echo request) a
box, it answers (icmp echo reply).

In your case, I'd hazard a guess that the Checkpoint is doing some
proxy or ipmasqing, which means it rewrites the source ip address to its
own external interface and sends it along, keeping state of who asked for
what. When it gets the answer back, it rewrites things again, and passes
it back to you.

So, without the Checkpoint, this website would have returned your system's
IP address, assuming its in the public IP ranges. With the Checkpoint
masq'ing you, the website reported its IP address.

There are some firewalls, (ipf packet filter comes to mind) that can
operate more stealthily, but ... either way, its gonna get an IP address
out of it. :P

-- John E. Jasen (jjasen1 () umbc edu)
-- User Error #2361: Please insert coffee and try again.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]