Anti-Spoofing Internal Workings??

[chuachongchee]

Hi All,

Jus wanna find out more on excatly how anti-spoofing works... this is my gut feel from my experience.. correct me if i'm wronng... here goes...

On internal designated interfaces, this will ensure that if x,y networks are behind the interfaces, only x,y networks will be allowed, the rest will be dropped..

On External designated interfaces, this will ensure that anything that is not designated internal will be dropped... lets say internal has x,y,z networks... anything designated external will drop the above mentioned, the rest are allowed...

This correct??

[chillyjim]

You got it.

[cciesec2006]

also wanted to add that Checkpoint calls it "anti-spoofing" while
cisco refers to as "Unicast Reversed-Path Forwarding" uRPF.

The other thing worth mentioning is that if you have an
environment where asymetric routing exists such as dual-ISP
connection for your Internet connection upstream. In that
case you may want to use "loose" mode instead of "strict"
mode.

[chuachongchee]

Quote:

Originally Posted by cciesec2006

also wanted to add that Checkpoint calls it "anti-spoofing" while
cisco refers to as "Unicast Reversed-Path Forwarding" uRPF.

The other thing worth mentioning is that if you have an
environment where asymetric routing exists such as dual-ISP
connection for your Internet connection upstream. In that
case you may want to use "loose" mode instead of "strict"
mode.

hmm.. hehe... doesnt cisco call this "Anti-Spoofing" too??!? Some time back when i still touched cisco products... i kinda remember i checked for Anti-spoof and configure it according to the KB... hehe

Another note... on Asymmetric routing.. isnt this so called not supported by Checkpoint?? This is so called a security breach isn't it??

On the HA cluster type... theres this "Support non-sticky connections."... isnt this the one that will allow Asymmectric to work when in so called HA environment??

[chillyjim]

Quote:

Originally Posted by chuachongchee

hmm.. hehe... doesnt cisco call this "Anti-Spoofing" too??!? Some time back when i still touched cisco products... i kinda remember i checked for Anti-spoof and configure it according to the KB... hehe

The commands are reverse path forwarding, the feature is anti-spoofing.

Quote:

Another note... on Asymmetric routing.. isnt this so called not supported by Checkpoint?? This is so called a security breach isn't it??

Asymmetric routing is a bad thing in general. The case that cciesec brings up is a little different, but one would hope that your firewall is inside your ISPs so you don't have the issue.

For a truly statefull firewall, you cannot "support" asymmetric routing, because it breaks state.

Quote:

On the HA cluster type... theres this "Support non-sticky connections."... isnt this the one that will allow Asymmectric to work when in so called HA environment??

That has to due with keeping a connection passing through a given module for the duration of the connection in a clustered (aka active-active) environment.