PDA

View Full Version : Anti-Spoofing: Useful or pain in the ***?



auslaender6
2012-12-03, 06:35
Hi Folks!
As the caption indicates, I thought of this feature the last week. We had some tricky problems in the past. After some hours of troubleshooting, we detected a missing net in the Anti-Spoofing Group.

What do you think, is this feature state-of-the-art?
Do we need to configure this?
Can we thoroughly recommend to disable this feature?
Do we loose security?
Do you use this kind of feature in your firewall?

All answers/opinions welcome! :)

cheers
Niko

ShadowPeak.com
2012-12-03, 12:07
Anti-spoofing is Check Point's way of establishing directionality on the firewall when it comes to enforcing the rulebase. Other vendor's firewalls will use Zones or security-levels to do basically the same thing. While the official CCSA R75 courseware only has about 1.5 pages covering anti-spoofing I'll spend a good 20-30 minutes covering it in class as it tends to be a Check Point feature that will really trip up firewall administrators who are migrating from another firewall such as Juniper or Cisco. It can be a very hard lesson to learn that not quite everything is enforced in the Check Point rulebase itself, and anti-spoofing has a completely separate enforcement mechanism. Use of Security Zones (which Check Point does not support) tends to clear this up by explicitly using Zones in the rulebase.

If anti-spoofing is disabled you will of course get a lovely warning every time you install policy. By not enabling anti-spoofing there is no directionality assigned to the rulebase (what I mean by "directionality" is having clear definitions of traffic going outside->inside, inside->outside, etc.) and the firewall will be vulnerable to believing spoofed IP addresses in packets and permitting traffic in the wrong "direction". While this IP spoofing vulnerability by itself is not a killer it can be leveraged with other attack vectors to do some real damage, and any decent auditor will flag your firewall for not having anti-spoofing set.

I keep wondering if Check Point will ever support Security Zones, as it does make certain operations such as NAT much easier to control (example - migrating a NAT config from a Cisco to a Check Point is not fun) and reduce the number of objects you need to create & add to your rulebase significantly. However one thing that antispoofing will help you catch is unusual traffic paths in your network such as asymmetric routing; having unusual or flat out broken routing situations in your network will tend to get those offending packets killed by antispoofing enforcement. You may think you know exactly how traffic is traversing your network & firewall but until you have antispoofing completely configured and working, you most certainly do not. :-)

belongamick
2012-12-03, 17:39
Anti-spoofing is only a "pain in the ***" if you don't understand what its doing and how it works. When anti-spoofing blocks something its pretty obvious from Tracker and should be straight forward to resolve. Its pretty worrying how many firewall engineers I've heard say that they disabled anti-spoofing because it was causing issues.

I prefer the way Fortinet automates anti-spoofing configuration by utilising the routing tables.

northlandboy
2012-12-03, 18:11
I prefer the way Fortinet automates anti-spoofing configuration by utilising the routing tables.

Check Point can semi-automate this, by retrieving topology. Problem is that you need to actually do that step every time you change routes, and it's easy for people to forget about it.

To the OP, it's not a 'state of the art' feature - it's actually a vanilla feature that has been there for years, and should be well understood. Conceptually it's simple enough to understand, and if you think about it, it's the sort of thing you should be implementing in your ACLs on your border routers too. Possibly not as granular, but your border routers should, at a minimum, drop anything inbound that has a private source, or a source with your own IP address ranges. Similarly, outbound should only have your public addresses as a source.

To answer your questions:
What do you think, is this feature state-of-the-art? - it's a standard feature, nothing special, nothing difficult to learn.
Do we need to configure this? - absolutely, unless you have a very good reason for not doing so, and you fully understand the implications of that choice. Not just because you don't understand anti-spoofing.
Can we thoroughly recommend to disable this feature? No, never.
Do we loose security? Yes, you will.
Do you use this kind of feature in your firewall? Yes, of course. And I configure similar things on my routers.

marklar
2012-12-04, 20:54
It's one of those Check Point things that is poorly explained in the training and not often updated in real life, so most CP admins don't really understand it very well.

If you're used to a zone/interface based firewall like pretty much everything else on the market it kind of makes sense, except CP makes it "easy" for you by automating some of it and forcing you to deal with it in other situations. It's a very useful and necessary feature but still doesn't solve the "Any" problem.

alienbaby
2012-12-04, 22:06
The easiest way to think of Anti-spoofing is that:

Anti-spoofing should mirror your routing. Reference SecurePlatform route analysis script (https://www.cpug.org/forums/scripts-tools/16434-linux-secureplatform-route-analysis-script.html)

Which brings up an interesting idea.

CheckPoint Firewall looks at the routing table for a number of features. 'Get Topology / Interfaces with Topology', ISP redundancy, VPN Link selection among others.
Why not an option under Anti-spoofing that causes the firewall to monitor the routing table and automatically adjust it, under the hood, based on the current state and changes to the routing table.

Something like:

Internal
++ Not Defined
++ Network Defined by the Interface IP and Net Mask
++ Specific ..
++ Match/Follow routing table

mikebgn
2012-12-05, 14:26
Anti-spoofing is only a "pain in the ***" if you don't understand what its doing and how it works. When anti-spoofing blocks something its pretty obvious from Tracker and should be straight forward to resolve. Its pretty worrying how many firewall engineers I've heard say that they disabled anti-spoofing because it was causing issues.

I prefer the way Fortinet automates anti-spoofing configuration by utilising the routing tables.

+1 When we bought Sonicwall that did anti-spoofing by simply using the routing table, I said "duh" why didn't checkpoint think of that. Saves times, one less thing to configure and it's always the same as the routing table anyways.

syn-ack
2012-12-05, 17:17
Anti-spoofing is only a "pain in the ***" if you don't understand what its doing and how it works. When anti-spoofing blocks something its pretty obvious from Tracker and should be straight forward to resolve. Its pretty worrying how many firewall engineers I've heard say that they disabled anti-spoofing because it was causing issues.

I concur. It is, as someone else mentioned, a pretty vanilla feature. All it does is makes sure the ip ranges coming into an interface, should be coming into that interface. In general, non WAN connected interfaces would allow traffic that is on the same subnet as that interface (network defined by interface IP/Mask). For private WAN traffic coming in, we define a group, and add those networks to the group.

As someone mentioned, this process is sorta automated via the get topology option... It creates the anti-spoofing based on your routing tables.. However, I am not a fan of the naming convention it uses for the created groups, doesn't scale well and organize in a fashion that is great if you have lots of firewalls and lots of interfaces... So I manage my anti-spoofing manually, and with the naming conventions I like...

beruqc
2013-04-15, 13:56
I said "duh" why didn't checkpoint think of that.

This anti-spofing feature reminds of the origins of Check Point as a software based firewall. Perhaps it would be the time to re-write it but I beleive that they are too busy developping new featrures.

RayPesek
2013-04-15, 19:11
Anti-spoofing is what keeps your network from being used as a UDP DoS source.

We use a group to manually define the anti-spoofing network and we only put objects and networks in it that have a need to directly access the Internet and that's not much. I'll bet 95% of our internal network is not defined in the anti-spoofing group because they use a proxy or something else to keep them from accessing the Internet directly. They also don't have any NAT rules applied.

We don't use a ton of host routes so our routing table is not even close to our anti-spoofing configuration.

It's all about layers:


Not being in the LAN anti-spoof group means no direct UDP Internet access due to a configuration error.
Not being in the LAN anti-spoof group or having a NAT rule means no TCP connections in or out due to a misconfiguration.
Watching the logs for anti-spoofing messages alerts you to things on your network that should not be there.