RE: Company Firewall's IP Address

From: Eric Schroeder (ericschroeder@satel.com)
Date: 11/18/02

  • Next message: Bill Hamel: "Re: Company Firewall's IP Address" 
    To: <Leonard.Ong@nokia.com>
From: "Eric Schroeder" <ericschroeder@satel.com>
Date: Mon, 18 Nov 2002 15:01:21 -0700

    Leonard,

    It is trivial to "hide" the IP address of the firewall by using a
    different IP address to NAT all of your internal machines behind. If the
    firewall then responds to no network traffic directed directly at it, it
    is effectively "hidden".

    IMHO,

    Eric Schroeder
    Satel Coporation

    <Leonard.Ong@nokia.com>
    11/14/2002 11:53 PM

     
            To: <bianco@jlab.org>, <tonytorri@yahoo.com>
            cc: <security-basics@securityfocus.com>, <cisaca-l@purdue.edu>
            Subject: RE: Company Firewall's IP Address

    Hi,

    As my previous email, there is no way you can 'hide' the firewall external
    interface IP Address. It is generally an acceptable practice with a good
    comfort level to have this in real world. There are something you can do
    :

    1) Obscure the DNS name for firewall e.g. don't assign a DNS name like
    'Dallas-FW-Ver3.x'
    2) Use stealth connection - Drop every connection attempt to your
    firewall, this supposed to make your firewall stealth.
    3) Carefully check your security policy to make sure there is no gap /
    unintended holes.
    4) Use AntiSpoofing.
    etc.

    Having said that, the social engineering, that exploit regular computer
    users' panic, that really matters in the advertisement.

    Regards,
    Leonard Ong, CISSP, CSS-1, CCSE, MCSE,
                 MCDBA, CCNP, CCDP, NSA, LCP
    Network Security Specialist, APAC
    NOKIA

    Email. Leonard.Ong@nokia.com
    Mobile. +65 9431 6184
    Phone. +65 6723 1724
    Fax. +65 6723 1596

    Relevant Pages

    • Website setup questions.
      ... Create firewall rule to direct HTTP port 80 to the SBS External NIC ... Create firewall rule to point DNS port 53 to the SBS External NIC ... NICS to get this request to not timeout or be refused. ...
      (microsoft.public.windows.server.sbs)
    • Re: For Microsoft Partners and Customers Who Cant Download or Access
      ... Using ipconfig /all showed the DNS IP is in fact the same IP ... as the firewall as you mentioned. ... Microsoft for msdn2.microsoft.com. ... use a static IP and set the DNS server addresses to the DNS ...
      (microsoft.public.dotnet.general)
    • Re: Setting another machine as a firewall
      ... I don't think a firewall is really the right technology to ... The alternative to implementing a proxy mail server on your firewall ... internet, then that is just a matter of writing filter rules to allow ... As far as DNS goes, combining a NAT'ing firewall with a mailserver on ...
      (freebsd-questions)
    • Re: loss of SOME connectivity
      ... I "think" it is DNS. ... Yes, I can ping the router, AND the ISP DNS. ... I cannot connect the inet cable directly to the server because the inet is ... MS firewall not started. ...
      (microsoft.public.windows.server.sbs)
    • Re: E-Mail Address Cant Receive E-Mail from *Some* External Organizations
      ... The fact that _some_ messages are delivered is because they are sent from different IPs, so double-check your firewall settings. ... So, that looks right to me, anyway; both resolve to the proper IP address of the external interface for our firewall, and the only difference is that for "company.org" our ISP's mail server acts as a backup server in case our internal mail server is down. ... However, if I send a message to "me@xxxxxxxxxxxxxxxx" from my Yahoo e-mail account, I get an NDR returned to my Yahoo account. ... I have checked with our ISP who handles our DNS settings, and they indicate that all appears to be in order with our DNS and MX records. ...
      (microsoft.public.exchange.admin)
    • Quantcast