Home page logo

basics logo Security Basics mailing list archives

RE: Company Firewall's IP Address
From: Louis Erickson <LErickson () ariba com>
Date: Thu, 14 Nov 2002 14:02:59 -0800

From: Vince Hillier [mailto:vdh () plutonium homeunix com]
|From: tony tony [mailto:tonytorri () yahoo com]
|Sent: Tuesday, November 12, 2002 2:09 PM
|To: security-basics () securityfocus com; Cisaca
|Subject: Company Firewall's IP Address
|I was doing security research on the internet at work 
yesterday....when all
|a sudden I got a pop up advertisement that stated that I was 
|my IP
|address to the entire internet.  It then showed a screen 
with my IP address
|which was the the external IP interface of one of our 
companies firewalls.

So I assume you route through the firewall machine.


You are broadcasting an IP to the internet; that of your firewall.  Many
things you do on the Internet - HTTP among them - require a bidirectional
link, which means that both sides need to know the IP address of the other.
Anything using TCP and actually working probably does.

Your machine's internal IP wasn't broadcast; your office's firewall or NAT
gateway or some other machine's was.  This is normal.

Hopefully, that machine is monitored, and well maintained, so hacking it
won't be easy or fruitful.

If you're not aware of how IP connections like your web server work, you're
right to be trying to learn more, and you might look for a basic book on
networking.  I don't have any really good recommendations, but others here
certainly will.

|It just bothers me that someone would be able to determine 
the IP address
|our firewall that easily.  It seems to me that our firewall 
should operate
|in a
|more stealth mode.  

Why does it bother you?  You can connect to their server, but 
they cannot identify you? Hmm... that would probably bother 
them, especially if you were up to no good.

That's true.  It's also true that that's how common protocols on the
Internet work.  There needs to be an IP address of some sort; your firewall
gets that honor.  Don't worry about that so much.

|Our firewall administrator said it is not technically
|possible to do this.  

Is he/she for real?  Of course it is technically possible to 
identify machine IPs is they are connecting to your 
webserver, I really hope he/she means it is not possible to 
determine the internal IP that the request originated from, 
if not, then you need a new firewall administrator.

Vince, I read that to mean, "Our firewall administrator said it is not
technically possible to hide the IP address of our firewall" instead of "it
is not possible to identify machines".

That's a very different statement, to which your reply isn't correct.

|What is your take?.I am not a checkpoint firewall
|I do not know.   All I know is that if I was a hacker, I 
would love to
|away on an ip address that represented a firewall.

That's probably the stupidest thing you could do, unless you 
want to get caught, of course.  Firewall are generally 
monitored, unless your firewall administrator thinks it's 
impossible for someone to determine the IP of the machine, 
then you're, well, hopeless.

Knowing someone's firewall's address is of only limited use.  Don't worry
about it.

|Click on the following to learn more about this pop up site.

In closing, that site simply returned the $REMOTE_ADDR 
(address that requested the document on their site).  There 
is nothing fishy about this, every site you visit can tell 
you that IP so long as you route through it.  Seriously, if 
your fw techie thinks it's impossible to get the IP of that 
machine, your company should immediately reconsider his/her 
qualifications, and perhaps put him/her in, oh say... a data 
entry position.

But, as seems likely from here, they did answer the question asked, but
perhaps simplified or you simplified, and Vince perhaps misunderstood.  

Normally, an IP address goes out over the 'Net, and normally that address is
correct.  Nothing to worry about.

It is possible to build a firewall with no IP address at all, but I don't
think that firewall can do all of the things a typical one can and so may
not be appropriate for your environment.  (Google for "bridging firewall" if
you're curious.)  Even with one of these, there will be an IP address sent
to the other side; it won't be the firewall's ip address, but that of
something behind it, which is actually scarier than the firewall's IP going

Lou Erickson
IT Tools Developer
Ariba, Inc.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]