mailing list archives
Re: Company Firewall's IP Address
From: Edward N Schofield <shuffle3 () insightbb com>
Date: Wed, 13 Nov 2002 18:16:45 -0600
Unless someone knew nothing about firewall configuration, the trusted
interface should only be addressable by the firewall, assuming that
Network address translation(NAT) algorithms in the firewall or by an
external gateway router are being used. If NAT is being used, even
knowing the trusted interface address would not bypass the firewall. It
would be difficult to imagine anyone setting up a firewall to directly
accept the trusted interface address from the untrusted side of the
firewall (or else why have a firewall?) Passing through email messages
just means the firewall is being told to not filter messages coming in
for email services (TCP port 25 ( a logical port), if my holey memory
recalls correctly). A stateful packet inspection firewall such as
Checkpoint checks the characteristics of the packet to ensure it only
gets the services for email, in this case. The message then goes to the
email client, and the reply is returned from the email client's address,
not the firewall. Most organizations pass outgoing messages through the
firewall without checking the services. It is developing security
practice to have the firewall permit only the services you let into your
organization's network to exit the network. (i.e. if you permit only
HTTP (TCP Port 80) or email (TCP Port25) to enter your network, only
permit these services to exit.) This hinders someone using a code
exploit to generate FTP services packets. (Port 23), as an example.
This is a tough sell, but at least one consultant demonstrated that ,
given an exploitable code vulnerability, it is possible to generate file
transfers of desired files without granting access to these services
through the firewall. That went through this list last fall. If you
contact me off-list, I can supply the name, but I think it would be
contrary to Mike's guidelines to give someone a free plug.
Hope it helps.
Bill Hamel wrote:
Unless I am missing something in the question, no matter what you do,
what/whoever you connect to through a firewall will always know the IP
address of the the trusted interface of the firewall.
On Wed, 13 Nov 2002, Meritt James wrote:
"an" IP Address - not necessarily the originating individual. There are
a LOT of ways around that.
Leonard.Ong () nokia com wrote:
There is nothing new about finding your IP Address and display it on the web page.
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566
RE: Company Firewall's IP Address Louis Erickson (Nov 17)
RE: Company Firewall's IP Address John Canty (Nov 17)