Re: Company Firewall's IP Address

[John Jasen <jjasen1 () umbc edu>]

On Tue, 12 Nov 2002, tony tony wrote:

> I was doing security research on the internet at work yesterday....when all of
> a sudden I got a pop up advertisement that stated that I was broadcasting my IP
> address to the entire internet.  It then showed a screen with my IP address
> which was the the external IP interface of one of our companies firewalls.
>
> It just bothers me that someone would be able to determine the IP address of
> our firewall that easily.  It seems to me that our firewall should operate in a
> more stealth mode.  Our firewall administrator said it is not technically
> possible to do this.  What is your take??I am not a checkpoint firewall guru?so
> I do not know.   All I know is that if I was a hacker, I would love to hammer
> away on an ip address that represented a firewall.

Its basically hogwash.

Somewhere in the headers of most tcp/ip packets is a space for the source
IP address. This is a good thing, because thats how the protocols return
answers to you -- ie: you open a webpage, it sends back text and graphics;
you ssh into a box, you get text output, you ping (icmp echo request) a
box, it answers (icmp echo reply).

In your case, I'd hazard a guess that the Checkpoint is doing some
proxy or ipmasqing, which means it rewrites the source ip address to its
own external interface and sends it along, keeping state of who asked for
what. When it gets the answer back, it rewrites things again, and passes
it back to you.

So, without the Checkpoint, this website would have returned your system's
IP address, assuming its in the public IP ranges. With the Checkpoint
masq'ing you, the website reported its IP address.

There are some firewalls, (ipf packet filter comes to mind) that can
operate more stealthily, but ... either way, its gonna get an IP address
out of it. :P

-- 
-- John E. Jasen (jjasen1 () umbc edu)
-- User Error #2361: Please insert coffee and try again.