Security Basics mailing list archives
Re: Company Firewall's IP Address
From: Bill Hamel <billh () bugs hamel net>
Date: Wed, 13 Nov 2002 19:49:28 -0500 (EST)
Hi Ed, I believe in the original post, the poster was concerned that the IP address of their firewall showed up in a pop-up using a browser, and how to keep that from happening. This would suggest outbound port 80 activity, maybe SSL. I am assuming this is the external address of the firewall. All I am saying is that the external ip address of a firewall will always be known by whomever or whatever you are connecting to. if the machine this user is conecting to, out on the internet, is showing their internal RFC1597 IP address IMHO that is impossible since private IP space doesn't route. As far as port 25 goes, inbound connections on 25 TCP typically go to an SMTP server, hopefully on a DMZ. I think what you are saying is that outbound SMTP traffic will show in the email header the internal IP address of the original sending client. Which is true with stateful inspection or less firewalls. but most application proxy level firewalls will remove this information (if configured correctly). Some mail (SMTP) servers need to be on the trusted network for technical reasons (Yuk!), in which case a firewall that utilizes it's own mail servers is the best bet because not one bit from the internet ever directly gets to the SMTP server. Jeesh, I hope I didn't cloud the issue :) -bh On Wed, 13 Nov 2002, Edward N Schofield wrote:
Bill, Unless someone knew nothing about firewall configuration, the trusted interface should only be addressable by the firewall, assuming that Network address translation(NAT) algorithms in the firewall or by an external gateway router are being used. If NAT is being used, even knowing the trusted interface address would not bypass the firewall. It would be difficult to imagine anyone setting up a firewall to directly accept the trusted interface address from the untrusted side of the firewall (or else why have a firewall?) Passing through email messages just means the firewall is being told to not filter messages coming in for email services (TCP port 25 ( a logical port), if my holey memory recalls correctly). A stateful packet inspection firewall such as Checkpoint checks the characteristics of the packet to ensure it only gets the services for email, in this case. The message then goes to the email client, and the reply is returned from the email client's address, not the firewall. Most organizations pass outgoing messages through the firewall without checking the services. It is developing security practice to have the firewall permit only the services you let into your organization's network to exit the network. (i.e. if you permit only HTTP (TCP Port 80) or email (TCP Port25) to enter your network, only permit these services to exit.) This hinders someone using a code exploit to generate FTP services packets. (Port 23), as an example. This is a tough sell, but at least one consultant demonstrated that , given an exploitable code vulnerability, it is possible to generate file transfers of desired files without granting access to these services through the firewall. That went through this list last fall. If you contact me off-list, I can supply the name, but I think it would be contrary to Mike's guidelines to give someone a free plug. Hope it helps. Ed Bill Hamel wrote:Unless I am missing something in the question, no matter what you do, what/whoever you connect to through a firewall will always know the IP address of the the trusted interface of the firewall. -bh On Wed, 13 Nov 2002, Meritt James wrote:"an" IP Address - not necessarily the originating individual. There are a LOT of ways around that. Jim Leonard.Ong () nokia com wrote:There is nothing new about finding your IP Address and display it on the web page.-- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566
Current thread:
- RE: Company Firewall's IP Address, (continued)
- RE: Company Firewall's IP Address Leonard.Ong (Nov 13)
- Re: Company Firewall's IP Address Meritt James (Nov 13)
- RE: Company Firewall's IP Address Bruce Fowler (Nov 15)
- Re: Company Firewall's IP Address Eric Schroeder (Nov 15)
- Re: Company Firewall's IP Address Ivan Coric (Nov 16)
- Re: Company Firewall's IP Address Meritt James (Nov 16)
- Re: Company Firewall's IP Address Bill Hamel (Nov 15)
- Re: Company Firewall's IP Address Meritt James (Nov 16)
- Re: Company Firewall's IP Address Bill Hamel (Nov 16)
- Re: Company Firewall's IP Address Bill Hamel (Nov 15)
- RE: Company Firewall's IP Address Leonard.Ong (Nov 13)
- Re: Company Firewall's IP Address Edward N Schofield (Nov 16)
- Re: Company Firewall's IP Address Bill Hamel (Nov 15)
- RE: Company Firewall's IP Address Leonard.Ong (Nov 16)
- Re: Company Firewall's IP Address Meritt James (Nov 16)
- Re: Company Firewall's IP Address Bill Hamel (Nov 16)
- Re: Company Firewall's IP Address Frederick Garbrecht (Nov 18)
- Re: Company Firewall's IP Address Andre Speelmans (Nov 19)
- Re: Company Firewall's IP Address Meritt James (Nov 18)
- Re: Company Firewall's IP Address Bill Hamel (Nov 22)
- Re: Company Firewall's IP Address Bill Hamel (Nov 16)
- query on firewall throughput..... SaiKrishna (Nov 18)