[EAS] IPAWS IP

Fri Jun 29 08:50:30 CDT 2012

There was a discussion recently about IPAWS requiring the use of a 
fully qualified domain name, rather than a specific IP address.

I'm not an expert on firewalls either, but remember to take into 
account DNS based load balancing.

For example, I did a ping on google.com, a few seconds apart, from 
two different computers on the same lan segement, and got two 
different addresses:
74.125.226.230
74.125.226.200

Indeed, checking directly with a DNS server, I got this for google.com:
Name:    google.com
           74.125.226.197
           74.125.226.194
           74.125.226.198
           74.125.226.192
           74.125.226.196
           74.125.226.201
           74.125.226.200
           74.125.226.199
           74.125.226.195
           74.125.226.193
           74.125.226.206

The DNS server will give an different IP address each time it is 
asked.  For servers that use this form of load balancing, you can't 
put a single address into your firewall.

FEMA isn't doing that now, but they are apparently reserving the 
right to do so in the future.  This is done by many web sites with a 
lot of users, such as yahoo, facebook, etc.

Further, once CAP gets up to its full potential, using the URL links 
for multimedia content (such as audio), the audio won't be coming 
from apps.fema.gov.  It may come from an EOC server, a server hosted 
by the 3rd party CAP providers like GSS and MyState, from anywhere.

And, as I've already discussed, SSL certs and viritual host names 
also enter into it.

Placing a single IP address in a firewall for outbound connects to 
FEMA isn't going to be sufficient for CAP.  If you have a highly 
restrictive environment, some additional conversation is going to be 
required between you and your IT department. Proxies and socks may be 
involved.  Find out where they like to eat lunch.

Harold