Safe to give out your IP address? - DiscussWorldIssues - Socio-Economic Religion and Political Uncensored Debate

**tobaccoman** · 10-14-2009, 10:17 PM

The company I work for is using Citrix for employees to remotely connect to their servers. They are displaying the IP address on the website as part of the installation instructions.

Is it safe or not to display their IP address?

**Flefebleaft** · 10-14-2009, 10:45 PM

Although not something I would do, It shouldn't really cause any issue. If everything is properly set up, the script kiddies who see the address won't gain anything with knowing it. The people you really need to worry about breaking in don't need the IP address listed on a site for them to figure it out.

**Flerdourdyged** · 10-14-2009, 10:55 PM

if people want to find out what the IP is,
they can probably find it so there is really no point trying to hide it.

**masterso** · 10-14-2009, 11:34 PM

The company I work for is using Citrix for employees to remotely connect to their servers. They are displaying the IP address on the website as part of the installation instructions.

Is it safe or not to display their IP address?

IP addresses are public and can not be obfuscated. If they post the IP address and specify the hardware that resides at that address, then a malicious user whom is familiar with the hardware (and its various security holes) could compromise the security of the network. However, during this process, finding the IP address is an insignificant effort.

I am not really a fan of security through obscurity. I think that posting the IP address should not lessen the security since an obscure IP address provides 0 security in the first place.

**tobaccoman** · 10-15-2009, 12:09 AM

Does showing people the remote connection software we are using and the instructions for installing and setting it up compromise security? If someone now knows we're using Citrix (which they didn't know before) and they also now know our IP address (which they didn't easily know before) aren't we just asking for trouble?

**masterso** · 10-15-2009, 12:29 AM

Does showing people the remote connection software we are using and the instructions for installing and setting it up compromise security? If someone now knows we're using Citrix (which they didn't know before) and they also now know our IP address (which they didn't easily know before) aren't we just asking for trouble?

So basically, the only security metric to prevent an unauthorized user is a username and password?

**tobaccoman** · 10-15-2009, 12:31 AM

Correct but they require password changes pretty frequently and incorrect guesses lead to account lockouts.

**MP+4** · 10-15-2009, 12:32 AM

Correct but they require password changes pretty frequently and incorrect guesses lead to account lockouts.

Yikes, do you guys have a dedicated security team? Username + Password is pretty lackluster security

**Usesdiums** · 10-15-2009, 12:50 AM

If it's anything like our Citrix access, we also have an RSA SecureID, basically a keyfob that displays a random 6 digit number every 10 seconds thats synched to the servers.

So username, password and passcode.

**suidinguilelf** · 10-15-2009, 12:58 AM

If giving out your IP address were dangerous then you've already been owned by an automated attack and are serving up malware as part of some botnet.

**bpejjssoe** · 10-15-2009, 01:01 AM

Security through obscurity: the US government's mantra.

**shkarpet$** · 10-15-2009, 01:05 AM

not a citrix expert but my company uses xenapp so that users just need to login on the site and then can launch the applications or virtual desktop and work from there.

**LOVEBoy** · 10-15-2009, 01:06 AM

IP addresses are public and can not be obfuscated. If they post the IP address and specify the hardware that resides at that address, then a malicious user whom is familiar with the hardware (and its various security holes) could compromise the security of the network. However, during this process, finding the IP address is an insignificant effort.

I am not really a fan of security through obscurity. I think that posting the IP address should not lessen the security since an obscure IP address provides 0 security in the first place.

I don't agree at all, it's very difficult to find out the IP address of a server for a particular company if it's not registered anywhere or freely advertised.

Providing the least amount of information as possible is a form of security, need to know basis and should be used at all times.

Advertising on your website that your servers are in the 220.168.120.54-60 example and detailing what ports are open (ala citrix ICA/https/dns/smtp whatever) is infanately more damaging than someone descoverying that range, with that port open but not knowing who it belongs to.

Knowing the company, means you could then social engineer the knowledge of domains, usernames etc... and you're already halfway there to breaking into a system.

**masterso** · 10-15-2009, 01:27 AM

I don't agree at all, it's very difficult to find out the IP address of a server for a particular company if it's not registered anywhere or freely advertised.

Only if you are a remote user... But for remote users, there are packet sniffers and logging software that can be installed on client PCs. If the desire to hack is there, getting an IP address (and scanning for open ports) is a trivial concern.

**tobaccoman** · 10-15-2009, 11:59 PM

It seems like the consensus is the company is just asking for trouble. Especially since I don't believe they have any extra security than username/password for Citrix. But I don't think having the installation directions without the IP is any more secure because a hacker could just easily call up the front desk and ask for the IP.

What they should really do is beef up security a little bit.

**LOVEBoy** · 10-16-2009, 12:23 AM

Only if you are a remote user... But for remote users, there are packet sniffers and logging software that can be installed on client PCs. If the desire to hack is there, getting an IP address (and scanning for open ports) is a trivial concern.

So in your example, you've already gained control over the network by install such software in the first place...

Obscurity is exactly what security is about.

**Flefebleaft** · 10-16-2009, 12:30 AM

So in your example, you've already gained control over the network by install such software in the first place...

Obscurity is exactly what security is about.

Obscurity is fine, but if that's what someone bases their network security on, they shouldn't be working in this industry.

**masterso** · 10-16-2009, 01:17 AM

So in your example, you've already gained control over the network by install such software in the first place...

Remote users are not on the network, well, not until they log in. Obscurity is exactly what security is about. Face. Palm.

**LOVEBoy** · 10-16-2009, 01:39 AM

Obscurity is fine, but if that's what someone bases their network security on, they shouldn't be working in this industry.

So you freely advertise what equipment you have, what OS revisions etc... to anyone? The least amount of information you give out the better.

**LOVEBoy** · 10-16-2009, 01:40 AM

Remote users are not on the network, well, not until they log in.Face. Palm.

nice retort and extremely well thought out.

10-14-2009, 10:17 PM	#1
tobaccoman Join Date Oct 2005 Posts 358 Senior Member	Safe to give out your IP address? The company I work for is using Citrix for employees to remotely connect to their servers. They are displaying the IP address on the website as part of the installation instructions. Is it safe or not to display their IP address? Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-14-2009, 10:45 PM	#2
Flefebleaft Join Date Oct 2005 Posts 409 Senior Member	Although not something I would do, It shouldn't really cause any issue. If everything is properly set up, the script kiddies who see the address won't gain anything with knowing it. The people you really need to worry about breaking in don't need the IP address listed on a site for them to figure it out. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-14-2009, 10:55 PM	#3
Flerdourdyged Join Date Oct 2005 Posts 487 Senior Member	if people want to find out what the IP is, they can probably find it so there is really no point trying to hide it. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-14-2009, 11:34 PM	#4
masterso Join Date Oct 2005 Posts 546 Senior Member	The company I work for is using Citrix for employees to remotely connect to their servers. They are displaying the IP address on the website as part of the installation instructions. Is it safe or not to display their IP address? IP addresses are public and can not be obfuscated. If they post the IP address and specify the hardware that resides at that address, then a malicious user whom is familiar with the hardware (and its various security holes) could compromise the security of the network. However, during this process, finding the IP address is an insignificant effort. I am not really a fan of security through obscurity. I think that posting the IP address should not lessen the security since an obscure IP address provides 0 security in the first place. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-15-2009, 12:09 AM	#5
tobaccoman Join Date Oct 2005 Posts 358 Senior Member	Does showing people the remote connection software we are using and the instructions for installing and setting it up compromise security? If someone now knows we're using Citrix (which they didn't know before) and they also now know our IP address (which they didn't easily know before) aren't we just asking for trouble? Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-15-2009, 12:29 AM	#6
masterso Join Date Oct 2005 Posts 546 Senior Member	Does showing people the remote connection software we are using and the instructions for installing and setting it up compromise security? If someone now knows we're using Citrix (which they didn't know before) and they also now know our IP address (which they didn't easily know before) aren't we just asking for trouble? So basically, the only security metric to prevent an unauthorized user is a username and password? Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-15-2009, 12:31 AM	#7
tobaccoman Join Date Oct 2005 Posts 358 Senior Member	Correct but they require password changes pretty frequently and incorrect guesses lead to account lockouts. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-15-2009, 12:32 AM	#8
MP+4 Join Date Oct 2005 Posts 595 Senior Member	Correct but they require password changes pretty frequently and incorrect guesses lead to account lockouts. Yikes, do you guys have a dedicated security team? Username + Password is pretty lackluster security Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-15-2009, 12:50 AM	#9
Usesdiums Join Date Oct 2005 Posts 471 Senior Member	If it's anything like our Citrix access, we also have an RSA SecureID, basically a keyfob that displays a random 6 digit number every 10 seconds thats synched to the servers. So username, password and passcode. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-15-2009, 12:58 AM	#10
suidinguilelf Join Date Oct 2005 Posts 409 Senior Member	If giving out your IP address were dangerous then you've already been owned by an automated attack and are serving up malware as part of some botnet. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-15-2009, 01:01 AM	#11
bpejjssoe Join Date Oct 2005 Posts 498 Senior Member	Security through obscurity: the US government's mantra. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-15-2009, 01:05 AM	#12
shkarpet$ Join Date Oct 2005 Posts 354 Senior Member	not a citrix expert but my company uses xenapp so that users just need to login on the site and then can launch the applications or virtual desktop and work from there. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-15-2009, 01:06 AM	#13
LOVEBoy Join Date Oct 2005 Posts 487 Senior Member	IP addresses are public and can not be obfuscated. If they post the IP address and specify the hardware that resides at that address, then a malicious user whom is familiar with the hardware (and its various security holes) could compromise the security of the network. However, during this process, finding the IP address is an insignificant effort. I am not really a fan of security through obscurity. I think that posting the IP address should not lessen the security since an obscure IP address provides 0 security in the first place. I don't agree at all, it's very difficult to find out the IP address of a server for a particular company if it's not registered anywhere or freely advertised. Providing the least amount of information as possible is a form of security, need to know basis and should be used at all times. Advertising on your website that your servers are in the 220.168.120.54-60 example and detailing what ports are open (ala citrix ICA/https/dns/smtp whatever) is infanately more damaging than someone descoverying that range, with that port open but not knowing who it belongs to. Knowing the company, means you could then social engineer the knowledge of domains, usernames etc... and you're already halfway there to breaking into a system. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-15-2009, 01:27 AM	#14
masterso Join Date Oct 2005 Posts 546 Senior Member	I don't agree at all, it's very difficult to find out the IP address of a server for a particular company if it's not registered anywhere or freely advertised. Only if you are a remote user... But for remote users, there are packet sniffers and logging software that can be installed on client PCs. If the desire to hack is there, getting an IP address (and scanning for open ports) is a trivial concern. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-15-2009, 11:59 PM	#15
tobaccoman Join Date Oct 2005 Posts 358 Senior Member	It seems like the consensus is the company is just asking for trouble. Especially since I don't believe they have any extra security than username/password for Citrix. But I don't think having the installation directions without the IP is any more secure because a hacker could just easily call up the front desk and ask for the IP. What they should really do is beef up security a little bit. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

10-16-2009, 12:23 AM	#16
LOVEBoy Join Date Oct 2005 Posts 487 Senior Member	Only if you are a remote user... But for remote users, there are packet sniffers and logging software that can be installed on client PCs. If the desire to hack is there, getting an IP address (and scanning for open ports) is a trivial concern. So in your example, you've already gained control over the network by install such software in the first place... Obscurity is exactly what security is about. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 12:30 AM	#17
Flefebleaft Join Date Oct 2005 Posts 409 Senior Member	So in your example, you've already gained control over the network by install such software in the first place... Obscurity is exactly what security is about. Obscurity is fine, but if that's what someone bases their network security on, they shouldn't be working in this industry. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 01:17 AM	#18
masterso Join Date Oct 2005 Posts 546 Senior Member	So in your example, you've already gained control over the network by install such software in the first place... Remote users are not on the network, well, not until they log in. Obscurity is exactly what security is about. Face. Palm. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 01:39 AM	#19
LOVEBoy Join Date Oct 2005 Posts 487 Senior Member	Obscurity is fine, but if that's what someone bases their network security on, they shouldn't be working in this industry. So you freely advertise what equipment you have, what OS revisions etc... to anyone? The least amount of information you give out the better. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 01:40 AM	#20
LOVEBoy Join Date Oct 2005 Posts 487 Senior Member	Remote users are not on the network, well, not until they log in.Face. Palm. nice retort and extremely well thought out. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote