How do I define anti-spoofing?

[BarryStiefel]

How do I define anti-spoofing?



Question



When I attempt to install my security policy, I get the following error:

Warning: You are about to install security policy on a machine without limiting the valid addresses on its interfaces to protect from IP addresses spoofing. Are you sure?

My firewall has 3 network interfaces and I am a bit confused about the definitions given for Valid Addresses when using Spoof Track. Should I use this configuration for my firewall?

le0 This Net connection to internet router le1 Others connection to DMZ le2 Others connection to router for internal 128.203

...or this?

le0 Others connection to internet router le1 This Net connection to DMZ le2 Open connection to router for internal 169.254

Answer



When you assign 'Valid Addresses': valid-addresses to an interface: 'ifn', you are asserting that only packets with a source IP in 'valid-addresses' can come into 'ifn'. In VPN-1/FireWall-1 4.1 and earlier, you are also asserting that only packets with a destination IP in 'valid-addresses' are allowed to be routed to 'ifn'. For example, if valid address is 192.168.182.0 and interface is le0.

1. packet with source IP address 192.168.182.4 can come into le0.
2. packet with source IP address 192.168.1.8 cannot come into le0.
3. packet with destination IP address 192.168.182.4 can be routed to le0.
4. packet with destination IP address 10.0.0.4 can not be routed to le0.

What are the various Anti-Spoofing options? In VPN-1/FireWall-1 NG. your options are as follows:

• External: Similar to others above.
• Internal, Not Defined: No anti-spoofing will be performed on this interface.
• Internal, Network Defined by IP and Net Mask: Same as "This-Net" above, but the name is more self-explanatory.
• Internal, Specific: A group of network objects (networks, hosts) that defined the "valid addresses" for this interface.

Note that NG automatically takes into account multicast and the all-ones and all-zeros broadcast addresses, so they need not be included in your anti-spoofing definitions.

In VPN-1/FireWall-1 4.1 and earlier, the options are a little more complex:

• Any (the default): All addresses are considered valid on this interface. Note that IP Options checking is still performed in this mode (which is how a lot of packets are "spoofed" from the Internet).
• No Security Policy: Do not enforce any security policy on this interface. Not only does this include anti-spoofing, but this includes your policy as well. Use with extreme caution!
• This Net: Probably the most mis-understood of the options. What this specifically means is "the logical network this interface is on." Contrary to popular belief, there is no magic to this as it is defined by the interfaces IP address and netmask per the configuration screen. All other networks are not considered valid for that interface.
• Specific: A group of network objects (networks, hosts) that defined the "valid addresses" for this interface. Typically used where there are multiple networks reachable from this interface and/or when Network Address Translation is used. If a host reachable from this interface has a "translated" IP address, you will need to include the "translated" IP address in this interface's "valid addresses" setting.
• Others: This is used on your interface facing your Internet connection. Specifically, it means "all IP address not specified on other FireWall? interfaces as valid."
• Others+: This allows you to specify IP addresses that appear on both your internal and external interfaces. This is usually needed when you are doing NAT in certain situations, running OSPF on both the internal and external interfaces, or running VRRP.

How To?



So in your example above, you will need to first define a network object that will identify network 10.203.0.0. Let's call it 'network-10.203'. Then:

le0 Others connection to internet router le1 This Net connection to DMZ le2 network-10.203 connection to router for internal 10.203

What if I have things that can appear on all interfaces (e.g. the all-ones or all-zeros broadcast)?



You will need to add the appropriate items in the anti-spoof group for all interfaces. For the "Others" interface, you will need to create a group and use "Others+" and reference that group.

What about NAT?



When NAT is involved, you need to make sure any destination static translations appear in the appropriate interface's anti-spoofing configuration in 4.1 and earlier versions. Since NAT can occur before routing in NG if "Perform Destination Static Translation on Client Side" is enabled in the Global Properties, you do not need to worry about including NAT addresses in your anti-spoofing configuration.

-- PhoneBoy - 14 Jan 2004

FAQForm FAQs.Class: SmartClientsFAQs FAQs.OS: FAQs.Version: