42

I work from home. Why would a company I am about to do some work for ask for my IP address? What would they need it for? Should I be worried? Thanks

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
Niall
  • 437
  • 1
  • 4
  • 4
  • 2
    I don't understand why there are asking for your IP address. But be careful if they ask or try themselves to install something on your computer – VarunAgw Feb 03 '16 at 21:40
  • 4
    Just make sure you have a firewall that prevents connections being initiated from the outside into your home network (unless you specify exceptions), and they can't really do much with your IP other than use it in their firewall whitelist. – HorusKol Feb 04 '16 at 01:14
  • 80
    So I can put you in my development environment server's IP whitelist. You want control of your access, I want control of my access. It's a mutual protection thing. Even higher restrictions apply to the staging environment. I might not trust you enough to give you access there. – Fiasco Labs Feb 04 '16 at 05:44
  • This is just a formality. If you were doing work for a company on any equipment of theirs or equipment that they lease/rent/whatever they could easily figure your IP address... very easily. – blankip Feb 04 '16 at 20:26
  • Regarding Firewalls - does you regular anti virus software include a firewall? – Niall Feb 04 '16 at 20:30
  • Also - just following up on my original question - if I provide my IP to the company - would this mean that I would know have to stop turning my modem off at night (i.e. to stop IP changing) I have no particular justification for this - does anyone have any thought about leaving modems on - are there any know health implications? Thanks – Niall Feb 04 '16 at 20:37
  • 1
    @Niall - That depends on your provider. Some ISPs this wouldn't matter as they have a long keep alive for MAC to IP, some might change your IP as you disconnect... you kind of have to test it out (or pay more to keep an IP). Mine changes every year or so. Also if yours does change frequently it sounds like it may cause issues. – blankip Feb 04 '16 at 21:54
  • 21
    When you connect to your company, they know your IP address anyway. What you're really telling them is that **you** own the IP address, not somebody else. – MSalters Feb 04 '16 at 23:26
  • 4
    This question reminded me of all the people back in the day in Quake 3 that would say "I've got your IP address" as a threat. Then I'd laugh. –  Feb 06 '16 at 00:49
  • @TechnikEmpire It's interesting how that is apparently a legitimate threat these days, for example with [DDoS attacks in League of Legends](https://support.riotgames.com/hc/en-us/articles/201751764-DDoS-Prevention-Guide). – Lilienthal Feb 08 '16 at 11:43
  • 1
    @Lilienthal well, yeah I guess you're right. But typically the people dropping this thread don't know what an IP is, or what DDoS or DoS even stand for. –  Feb 08 '16 at 13:20
  • 1
    I imagine they’d want your IP address so they can white-list it for company services etc. Using it for nefarious purposes would just open them up to a lawsuit. – Martin Bean Feb 08 '16 at 13:30
  • There is also things such as blocking your IP in Analytics so you don't skew any stats (we do this so people making test bookings don't show up as real ones!) – bateman_ap Feb 08 '16 at 16:48
  • you should be worried that you don't know that IP addresses are not secret and that they already have your IP address, as well as every server you connect to via TCP/IP does as well as soon as you connect. *barring some kind of anonymizing proxy* –  Feb 08 '16 at 22:54
  • Doesnt matter when you have a dynamic IP – BlueWizard Feb 13 '16 at 17:16

10 Answers10

223

This seems to be a persistent question. IP addresses aren't secrets. Every website you go to must know your IP address. There's no reason to not give away your IP address.

Many companies have firewalls that only allow certain addresses through to certain ports. This is a relatively common way of controlling access to resources with minimal effort.

However, most people don't have static IP addresses at home, and your IP address can suddenly change without notice. So just be aware that the IP you have today might not be the IP you have tomorrow.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • Thanks Steve for your explanation, Though, if as you have written an IP address is dynamic and not static, does this mean access through their (the company) firewall would only be temporary. How often (on average if there is an average) does an IP change? Thanks again – Niall Feb 03 '16 at 21:16
  • 28
    @Niall There is no average. Mine only changes once every few months, but some of my friends on a different ISP get a new one about daily. – ceejayoz Feb 03 '16 at 21:35
  • 26
    Perhaps there should be a canonical answer for "what are the implications of giving away my IP address?". I've seen a lot of questions on Security.SE asking about IP adresses. Maybe making that the #1 Q/A Google result would diminish the amount of questions asked about it. – Chris Cirefice Feb 04 '16 at 03:04
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/35312/discussion-on-answer-by-steve-sether-while-working-from-home-is-it-a-bad-idea-t). – schroeder Feb 04 '16 at 21:20
  • 2
    @ChrisCirefice See http://security.stackexchange.com/q/35160/10863 for the generic question. The answers are a bit specific, but the question is there. – Luc Feb 07 '16 at 13:12
63

Why would a company I am about to do some work (working from home) for, ask for my IP address? What would they need it for? Should I be worried? Thanks

More than likely, they need to be able to white list your IP address, or IP range, to allow remote connections from your home. They need to know who's on their network, and why. There's nothing to worry about here.

Keep in mind, they will probably whitelist your dynamic IP range (likely 0-255), and not your actual IP address, unless it's static.

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
  • Thanks Mark - I have just looked up my IP address (by web search) - how do I know that is my public IP as opposed to my private UP address? What is the difference - thanks again – Niall Feb 03 '16 at 21:35
  • Thanks Mark. I am a bit of a luddite - so I'll have to google what that means. Why though if a modem is static/fixed does the IP address change when you turn you modem off. I turn my modem off every night - is that not normal? – Niall Feb 03 '16 at 21:44
  • @Niall It's good practice if you're not using it, but it's not normal. I think most people just leave it on. Just like you're not supposed to leave your toaster, TV, computer, etc. plugged in. Most people do it anyway. – mbomb007 Feb 03 '16 at 22:52
  • 4
    @Niall If you found your IP address by a web search (e.g. http://www.whatsmyip.org/ ) then it must be your public one you're seeing. Your private IP address is used by your computer to talk to your router. It's not visible outside your home network. Your public IP address is the one your router uses to talk to the rest of the internet. If your public IP address changes every day, you must have a dynamic IP address, not a static one. – Simon B Feb 03 '16 at 23:08
  • 2
    @MarkBuffalo Using ipconfig/ifconfig will show you your INTERNAL IP address. The company would need the PUBLIC IP, which you can find by visiting a site like whatismyip.com – BlueCacti Feb 04 '16 at 15:38
  • 1
    @GroundZero D'oh! I mixed up what he was saying. I skimmed his comment and thought he was asking for his private IP. That'll teach me to skim comments. Thanks for the catch. I'll fix that. – Mark Buffalo Feb 04 '16 at 15:40
  • 1
    @Niall: 192.168.xxx.xxx is private (typical for home router), 10.xxx.xxx.xxx is private (typical for a company, with a much more expensive setup). There is another range but I forgot the numbers because I have never seen it in real life. And 127.0.0.1 is "your computer". – gnasher729 Feb 04 '16 at 23:25
  • What do you mean by `"Keep in mind, they will probably whitelist your dynamic IP range (likely 0-255), and not your actual IP address, unless it's static"`? Large ISPs typically have _really large_ address block assignments and often more than one of them. If they're whitelisting those, they're practically whitelisting the entire Internet. For my ISP, there's no guarantee _even the first octet_ will be the same between IP address assignments. The chance of the first three octets being the same between assignments is extremely low. – reirab Feb 05 '16 at 06:25
  • 4
    @mbomb007 Who decided that unplugging your modem at night is "good practice?" That sounds like a really annoying and rather useless practice to me, especially in the OP's case of working from home with a whitelisted IP address. He'd have to be calling them up and getting a new IP address whitelisted every time he gets a new lease, which could be daily if you do that. – reirab Feb 05 '16 at 06:28
  • @gnasher729 The third one is `172.16/12` (or, if you like, `172.16-32.*.*`). I use a `/24` under it for my personal VPN, specifically _because_ it's so uncommon. There are [more blocks](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml) reserved for special use, and IPv6 has [its own set](https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml). While IANA is authoritative here, [Wikipedia has an article](https://en.wikipedia.org/wiki/Reserved_IP_addresses) that might be more accessible. – Blacklight Shining Feb 05 '16 at 08:51
  • @reirab It saves money by using less electricity. Sure his case is unique, but for the average modem owner, there's no reason to leave it on. – mbomb007 Feb 05 '16 at 15:56
  • @mbomb007 The pennies you'll save aren't worth the effort of turning it off. If you're on an ADSL line with dynamic line management, turning it off may cause DLM to think your line is unstable and reduce your speeds. http://www.kitz.co.uk/adsl/DLM.htm – Luna Feb 08 '16 at 12:19
19

Since you share your IP on every occasion in the web, there is no problem. Usually the reason for this is that they want to whitelist your IP in their firewall to allow you to remotely access them. Apart from that: Giving away your IP can not really harm you.

Even if that one company knows your identity and can consequentially relate your IP to you, this does not imply that any third party can do so. There is no problem in giving someone your IP if that person knew your identity in the first place, no additional information is given.

Other third parties cannot find your name and physical address from your IP address, and you can’t find it from theirs.

Well at last not without help.

We’ve seen that using a whois lookup on an IP address will tell you the ISP that owns it. It’s that ISP that can then tell you who, exactly, that IP address is connected to.

Note that while they can tell you, that doesn’t mean that they will. That information is typically regarded as private and ISPs are not keen on giving it out. What they can and do respond to, however, are court orders.

AdHominem
  • 3,006
  • 1
  • 16
  • 26
  • Thanks AdHominen - I presume you mean you leak your Public IP on every occasion on the net - what happens if someone gets your Private IP and what exactly is your private IP? – Niall Feb 03 '16 at 21:50
  • 4
    @Niall, a private IP is simply one that can't be accessed from the public internet. For example, my home fileserver's IP is 192.168.1.10, while my desktop's is 192.168.1.6. I can access my fileserver from my desktop because both are on the same private-address network, but I can't access it from the library, because the fileserver doesn't have a public address. – Mark Feb 03 '16 at 22:01
  • 2
    @Niall if someone gets your private IP, nothing happens. He cannot use it, because it only works in your private network. Also there is a very very high chance your private IP is one of the 253 IPs in 192.168.1.[2-254] because that's the default in most home routers. – Josef Feb 04 '16 at 11:48
  • 1
    AdHominem your reasoning is flawed. There is a big difference between your IP address being associated with arbitrary web requests, and you explicitly declaring the link between your IP address and your personal identity. It's like, anyone knows that there is a house number 12 on Stack Overflow Street, but until you stand up in the town square and loudly declare that it's _your_ house, your enemies probably won't have letterbombed it. – Lightness Races in Orbit Feb 05 '16 at 11:22
  • I never even mentioned such difference. All I said was that you leak your IP everywhere anyways and that no one except your ISP can relate it to you as a natural person. – AdHominem Feb 05 '16 at 11:27
  • @AdHominem: Which is why it's irrelevant, because in the scenario being asked about, suddenly your IP _can_ be related to you as a natural person, which is a massive change. _"so there is no problem"_ is thus a non sequitur! – Lightness Races in Orbit Feb 05 '16 at 11:28
  • What i mean is that since you leak your IP anyways, you can as well give it to someone requesting it. Even if that one person knows your identity and can consequentially relate your IP to you, this does not imply that any third party can do so. There is no problem in giving someone your IP if that person knows you in the first place. – AdHominem Feb 05 '16 at 12:33
8

Firewall whitelisting is the obvious answer, audit whitelisting might be the other.

If we know in advance to expect you to dial in from IPs associated with the northeastern US and all of a sudden we see you're successfully logging in from an IP address range in Guangdong, it's going to raise red flags.

Ivan
  • 6,288
  • 3
  • 18
  • 22
6

Sounds like a poor man's VPN substitute. Normally the company's VPN should allow connections from anywhere, and then use one or two different authentication methods (or more).

It makes perfectly good sense to firewall off large blocks like China, but micromanaging IP addresses is a continuous administrative overhead.

Plus there are plenty of users who don't have static IP addresses, does your company update the ruleset every time someone blips their router/modem?

Answer No its not dangerous to share your IP, but it may be a sign of poor security practices masked by IP-based Access Lists.

Criggie
  • 508
  • 3
  • 12
  • 14
    IP white listing isn't necessarily a sign of poor security practices if IP white listing is done in addition to a strong authentication method. The main reason for IP white listing is because IP white listing is enforced by a layer 3 firewall, which is a much faster and simpler device then higher layer firewalls that have to parse through more of the layers and/or maintain TCP sessions. IP blocking device can sift through a large volumetric attacks quickly and efficiently with modest hardware with little performance impact. – Lie Ryan Feb 04 '16 at 14:53
  • 1
    I upvoted this already, but I feel it needs re-iterating that IP whitelisting is a stopgap measure at best. It only works if you have a static address, it precludes the use of a general VPN from home, and it provides no security against attacks from behind your NAT, while making an implicit suggestion that you will be responsible for them. If you're working for a five person company, then maybe setting up the VPN isn't worth while, but for any bigger company, it is a sign of a lazy sysadmin. – Gordon Dove Feb 05 '16 at 19:19
2

It's a common practice : for restricting an outside access to VPN and other services. You should not worry and use a static IP address - for your own safety, btw. Because if even someone will steal your password - he will not have your IP likely.

Alexey Vesnin
  • 1,565
  • 1
  • 8
  • 11
2

Similar to [Alexey Vesnin] answer, we setup an external modem and firewall with an onion VPN connection. We configure the connection to run one specific application with username, password, and security questions. The firewall is configured for a static IP and mac address. If any other user/device tries to connect to that firewall it is kicked off. Employees can run personal internet through their own network card and firewall/router/modem.1

Community
  • 1
LJones
  • 107
  • 1
  • 6
1

I work for a marketing and advertising agency. My company needs my IP address so that they can track how many times I visit ours, and our clients' websites (which we are monitoring to determine the effectiveness of our marketing and social media campaigns). Since I visit the site frequently to update blogs and edit content, my activities could skew the analytics.

Chris
  • 11
  • 1
0

It seems that it was not clearly stated yet in other answers: If you connect to any of your company servers, then they will immediately know your IP anyway (as would any other webserver). Knowing your IP most likely will also allow them to know your physical location (not very precise though).

If you want to hide your location for some reason, then you would need to use a proxy or something, but then again, they might not allow you in.

Ilya Chernomordik
  • 2,197
  • 1
  • 21
  • 36
-3

If you work at home and routinely connect to your company's website then they would have to know your IP since it would be in their logs. Who is doing the asking? Ask them for an explanation. No it is not routine as some have suggested. It may be that someone has been entering into their system to do something harmful and they are checking but, even then, all IPs are logged so it does not make any sense at all. Get an explanation and do not fail to mention that you understand that your IP should automatically appear in their logs so why do they have to ask for it.

Louie
  • 1
  • 3
    Telling an employer to search their logs to figure out your IP is asinine. A company should not have to parse gigs of log files because an employee didn't feel like providing their IP. See @Fiasco Labs answer to see why a company would need a WFM employee's IP. – cremefraiche Feb 07 '16 at 04:48