RE: Company Firewall's IP Address

[Louis Erickson <LErickson () ariba com>]

> From: Vince Hillier [mailto:vdh () plutonium homeunix com]
> |From: tony tony [mailto:tonytorri () yahoo com]
> |Sent: Tuesday, November 12, 2002 2:09 PM
> |To: security-basics () securityfocus com; Cisaca
> |Subject: Company Firewall's IP Address
> |
> |I was doing security research on the internet at work 
> yesterday....when all
> |of
> |a sudden I got a pop up advertisement that stated that I was 
> broadcasting
> |my IP
> |address to the entire internet.  It then showed a screen 
> with my IP address
> |which was the the external IP interface of one of our 
> companies firewalls.
>
> So I assume you route through the firewall machine.

tony:

You are broadcasting an IP to the internet; that of your firewall.  Many
things you do on the Internet - HTTP among them - require a bidirectional
link, which means that both sides need to know the IP address of the other.
Anything using TCP and actually working probably does.

Your machine's internal IP wasn't broadcast; your office's firewall or NAT
gateway or some other machine's was.  This is normal.

Hopefully, that machine is monitored, and well maintained, so hacking it
won't be easy or fruitful.

If you're not aware of how IP connections like your web server work, you're
right to be trying to learn more, and you might look for a basic book on
networking.  I don't have any really good recommendations, but others here
certainly will.

> |It just bothers me that someone would be able to determine 
> the IP address
> |of
> |our firewall that easily.  It seems to me that our firewall 
> should operate
> |in a
> |more stealth mode.  
>
> Why does it bother you?  You can connect to their server, but 
> they cannot identify you? Hmm... that would probably bother 
> them, especially if you were up to no good.

That's true.  It's also true that that's how common protocols on the
Internet work.  There needs to be an IP address of some sort; your firewall
gets that honor.  Don't worry about that so much.

> |Our firewall administrator said it is not technically
> |possible to do this.  
>
> Is he/she for real?  Of course it is technically possible to 
> identify machine IPs is they are connecting to your 
> webserver, I really hope he/she means it is not possible to 
> determine the internal IP that the request originated from, 
> if not, then you need a new firewall administrator.

Vince, I read that to mean, "Our firewall administrator said it is not
technically possible to hide the IP address of our firewall" instead of "it
is not possible to identify machines".

That's a very different statement, to which your reply isn't correct.

> |What is your take?.I am not a checkpoint firewall
> |guru.so
> |I do not know.   All I know is that if I was a hacker, I 
> would love to
> |hammer
> |away on an ip address that represented a firewall.
>
> That's probably the stupidest thing you could do, unless you 
> want to get caught, of course.  Firewall are generally 
> monitored, unless your firewall administrator thinks it's 
> impossible for someone to determine the IP of the machine, 
> then you're, well, hopeless.

Knowing someone's firewall's address is of only limited use.  Don't worry
about it.

> |Click on the following to learn more about this pop up site.
> |
> |http://www.bonzi.com/internetalert/ia99m.asp
>
> In closing, that site simply returned the $REMOTE_ADDR 
> (address that requested the document on their site).  There 
> is nothing fishy about this, every site you visit can tell 
> you that IP so long as you route through it.  Seriously, if 
> your fw techie thinks it's impossible to get the IP of that 
> machine, your company should immediately reconsider his/her 
> qualifications, and perhaps put him/her in, oh say... a data 
> entry position.

But, as seems likely from here, they did answer the question asked, but
perhaps simplified or you simplified, and Vince perhaps misunderstood.  

Normally, an IP address goes out over the 'Net, and normally that address is
correct.  Nothing to worry about.

It is possible to build a firewall with no IP address at all, but I don't
think that firewall can do all of the things a typical one can and so may
not be appropriate for your environment.  (Google for "bridging firewall" if
you're curious.)  Even with one of these, there will be an IP address sent
to the other side; it won't be the firewall's ip address, but that of
something behind it, which is actually scarier than the firewall's IP going
out.

Lou Erickson
IT Tools Developer
Ariba, Inc.