Security Basics mailing list archives

Re: Company Firewall's IP Address

From: Edward N Schofield <shuffle3 () insightbb com>
Date: Wed, 13 Nov 2002 18:16:45 -0600

Bill,

Unless someone knew nothing about firewall configuration, the trustedinterface should only be addressable by the firewall, assuming thatNetwork address translation(NAT) algorithms in the firewall or by anexternal gateway router are being used. If NAT is being used, evenknowing the trusted interface address would not bypass the firewall. Itwould be difficult to imagine anyone setting up a firewall to directlyaccept the trusted interface address from the untrusted side of thefirewall (or else why have a firewall?) Passing through email messagesjust means the firewall is being told to not filter messages coming infor email services (TCP port 25 ( a logical port), if my holey memoryrecalls correctly). A stateful packet inspection firewall such asCheckpoint checks the characteristics of the packet to ensure it onlygets the services for email, in this case. The message then goes to theemail client, and the reply is returned from the email client's address,not the firewall. Most organizations pass outgoing messages through thefirewall without checking the services. It is developing securitypractice to have the firewall permit only the services you let into yourorganization's network to exit the network. (i.e. if you permit onlyHTTP (TCP Port 80) or email (TCP Port25) to enter your network, onlypermit these services to exit.) This hinders someone using a codeexploit to generate FTP services packets. (Port 23), as an example.This is a tough sell, but at least one consultant demonstrated that ,given an exploitable code vulnerability, it is possible to generate filetransfers of desired files without granting access to these servicesthrough the firewall. That went through this list last fall. If youcontact me off-list, I can supply the name, but I think it would becontrary to Mike's guidelines to give someone a free plug.


Hope it helps.
Ed



Bill Hamel wrote:

Unless I am missing something in the question, no matter what you do,
what/whoever you connect to through a firewall will always know the IP
address of the the trusted interface of the firewall.

-bh


On Wed, 13 Nov 2002, Meritt James wrote:

"an" IP Address - not necessarily the originating individual.  There are
a LOT of ways around that.

Jim

Leonard.Ong () nokia com wrote:

There is nothing new about finding your IP Address and display it on the web page.

--
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

Current thread:

RE: Company Firewall's IP Address, (continued)
- RE: Company Firewall's IP Address Daniel R. Miessler (Nov 16)
- RE: Company Firewall's IP Address Leonard.Ong (Nov 13)
  - Re: Company Firewall's IP Address Meritt James (Nov 13)
- RE: Company Firewall's IP Address Bruce Fowler (Nov 15)
- Re: Company Firewall's IP Address Eric Schroeder (Nov 15)
- Re: Company Firewall's IP Address Ivan Coric (Nov 16)
- Re: Company Firewall's IP Address Meritt James (Nov 16)
  - Re: Company Firewall's IP Address Bill Hamel (Nov 15)
    - Re: Company Firewall's IP Address Meritt James (Nov 16)
    - Re: Company Firewall's IP Address Bill Hamel (Nov 16)
- Re: Company Firewall's IP Address Edward N Schofield (Nov 16)
  - Re: Company Firewall's IP Address Bill Hamel (Nov 15)
- RE: Company Firewall's IP Address Leonard.Ong (Nov 16)
- Re: Company Firewall's IP Address Meritt James (Nov 16)
  - Re: Company Firewall's IP Address Bill Hamel (Nov 16)
    - Re: Company Firewall's IP Address Frederick Garbrecht (Nov 18)
    - Re: Company Firewall's IP Address Andre Speelmans (Nov 19)
    - Re: Company Firewall's IP Address Meritt James (Nov 18)
    - Re: Company Firewall's IP Address Bill Hamel (Nov 22)
- RE: Company Firewall's IP Address Louis Erickson (Nov 17)
- RE: Company Firewall's IP Address John Canty (Nov 17)

(Thread continues...)