CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 10 of 10

Thread: Anti-Spoofing: Useful or pain in the ***?

  1. #1
    Join Date
    2012-11-22
    Posts
    1
    Rep Power
    0

    Default Anti-Spoofing: Useful or pain in the ***?

    Hi Folks!
    As the caption indicates, I thought of this feature the last week. We had some tricky problems in the past. After some hours of troubleshooting, we detected a missing net in the Anti-Spoofing Group.

    What do you think, is this feature state-of-the-art?
    Do we need to configure this?
    Can we thoroughly recommend to disable this feature?
    Do we loose security?
    Do you use this kind of feature in your firewall?

    All answers/opinions welcome! :)

    cheers
    Niko

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    16

    Default Re: Anti-Spoofing: Useful or pain in the ***?

    Anti-spoofing is Check Point's way of establishing directionality on the firewall when it comes to enforcing the rulebase. Other vendor's firewalls will use Zones or security-levels to do basically the same thing. While the official CCSA R75 courseware only has about 1.5 pages covering anti-spoofing I'll spend a good 20-30 minutes covering it in class as it tends to be a Check Point feature that will really trip up firewall administrators who are migrating from another firewall such as Juniper or Cisco. It can be a very hard lesson to learn that not quite everything is enforced in the Check Point rulebase itself, and anti-spoofing has a completely separate enforcement mechanism. Use of Security Zones (which Check Point does not support) tends to clear this up by explicitly using Zones in the rulebase.

    If anti-spoofing is disabled you will of course get a lovely warning every time you install policy. By not enabling anti-spoofing there is no directionality assigned to the rulebase (what I mean by "directionality" is having clear definitions of traffic going outside->inside, inside->outside, etc.) and the firewall will be vulnerable to believing spoofed IP addresses in packets and permitting traffic in the wrong "direction". While this IP spoofing vulnerability by itself is not a killer it can be leveraged with other attack vectors to do some real damage, and any decent auditor will flag your firewall for not having anti-spoofing set.

    I keep wondering if Check Point will ever support Security Zones, as it does make certain operations such as NAT much easier to control (example - migrating a NAT config from a Cisco to a Check Point is not fun) and reduce the number of objects you need to create & add to your rulebase significantly. However one thing that antispoofing will help you catch is unusual traffic paths in your network such as asymmetric routing; having unusual or flat out broken routing situations in your network will tend to get those offending packets killed by antispoofing enforcement. You may think you know exactly how traffic is traversing your network & firewall but until you have antispoofing completely configured and working, you most certainly do not. :-)

  3. #3
    Join Date
    2010-06-28
    Posts
    22
    Rep Power
    0

    Default Re: Anti-Spoofing: Useful or pain in the ***?

    Anti-spoofing is only a "pain in the ***" if you don't understand what its doing and how it works. When anti-spoofing blocks something its pretty obvious from Tracker and should be straight forward to resolve. Its pretty worrying how many firewall engineers I've heard say that they disabled anti-spoofing because it was causing issues.

    I prefer the way Fortinet automates anti-spoofing configuration by utilising the routing tables.

  4. #4
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Anti-Spoofing: Useful or pain in the ***?

    Quote Originally Posted by belongamick View Post
    I prefer the way Fortinet automates anti-spoofing configuration by utilising the routing tables.
    Check Point can semi-automate this, by retrieving topology. Problem is that you need to actually do that step every time you change routes, and it's easy for people to forget about it.

    To the OP, it's not a 'state of the art' feature - it's actually a vanilla feature that has been there for years, and should be well understood. Conceptually it's simple enough to understand, and if you think about it, it's the sort of thing you should be implementing in your ACLs on your border routers too. Possibly not as granular, but your border routers should, at a minimum, drop anything inbound that has a private source, or a source with your own IP address ranges. Similarly, outbound should only have your public addresses as a source.

    To answer your questions:
    What do you think, is this feature state-of-the-art? - it's a standard feature, nothing special, nothing difficult to learn.
    Do we need to configure this? - absolutely, unless you have a very good reason for not doing so, and you fully understand the implications of that choice. Not just because you don't understand anti-spoofing.
    Can we thoroughly recommend to disable this feature? No, never.
    Do we loose security? Yes, you will.
    Do you use this kind of feature in your firewall? Yes, of course. And I configure similar things on my routers.

  5. #5
    Join Date
    2007-07-12
    Posts
    143
    Rep Power
    14

    Default Re: Anti-Spoofing: Useful or pain in the ***?

    It's one of those Check Point things that is poorly explained in the training and not often updated in real life, so most CP admins don't really understand it very well.

    If you're used to a zone/interface based firewall like pretty much everything else on the market it kind of makes sense, except CP makes it "easy" for you by automating some of it and forcing you to deal with it in other situations. It's a very useful and necessary feature but still doesn't solve the "Any" problem.

  6. #6
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    16

    Default Re: Anti-Spoofing: Useful or pain in the ***?

    The easiest way to think of Anti-spoofing is that:

    Anti-spoofing should mirror your routing. Reference SecurePlatform route analysis script

    Which brings up an interesting idea.

    CheckPoint Firewall looks at the routing table for a number of features. 'Get Topology / Interfaces with Topology', ISP redundancy, VPN Link selection among others.
    Why not an option under Anti-spoofing that causes the firewall to monitor the routing table and automatically adjust it, under the hood, based on the current state and changes to the routing table.

    Something like:

    Internal
    ++ Not Defined
    ++ Network Defined by the Interface IP and Net Mask
    ++ Specific ..
    ++ Match/Follow routing table

  7. #7
    Join Date
    2006-05-04
    Posts
    32
    Rep Power
    0

    Default Re: Anti-Spoofing: Useful or pain in the ***?

    Quote Originally Posted by belongamick View Post
    Anti-spoofing is only a "pain in the ***" if you don't understand what its doing and how it works. When anti-spoofing blocks something its pretty obvious from Tracker and should be straight forward to resolve. Its pretty worrying how many firewall engineers I've heard say that they disabled anti-spoofing because it was causing issues.

    I prefer the way Fortinet automates anti-spoofing configuration by utilising the routing tables.
    +1 When we bought Sonicwall that did anti-spoofing by simply using the routing table, I said "duh" why didn't checkpoint think of that. Saves times, one less thing to configure and it's always the same as the routing table anyways.

  8. #8
    Join Date
    2008-01-10
    Location
    Orlando, FL
    Posts
    107
    Rep Power
    14

    Default Re: Anti-Spoofing: Useful or pain in the ***?

    Quote Originally Posted by belongamick View Post
    Anti-spoofing is only a "pain in the ***" if you don't understand what its doing and how it works. When anti-spoofing blocks something its pretty obvious from Tracker and should be straight forward to resolve. Its pretty worrying how many firewall engineers I've heard say that they disabled anti-spoofing because it was causing issues.
    I concur. It is, as someone else mentioned, a pretty vanilla feature. All it does is makes sure the ip ranges coming into an interface, should be coming into that interface. In general, non WAN connected interfaces would allow traffic that is on the same subnet as that interface (network defined by interface IP/Mask). For private WAN traffic coming in, we define a group, and add those networks to the group.

    As someone mentioned, this process is sorta automated via the get topology option... It creates the anti-spoofing based on your routing tables.. However, I am not a fan of the naming convention it uses for the created groups, doesn't scale well and organize in a fashion that is great if you have lots of firewalls and lots of interfaces... So I manage my anti-spoofing manually, and with the naming conventions I like...
    Last edited by syn-ack; 2012-12-05 at 17:54.

  9. #9
    Join Date
    2012-07-19
    Posts
    11
    Rep Power
    0

    Default Re: Anti-Spoofing: Useful or pain in the ***?

    Quote Originally Posted by mikebgn View Post
    I said "duh" why didn't checkpoint think of that.
    This anti-spofing feature reminds of the origins of Check Point as a software based firewall. Perhaps it would be the time to re-write it but I beleive that they are too busy developping new featrures.

  10. #10
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    17

    Default Re: Anti-Spoofing: Useful or pain in the ***?

    Anti-spoofing is what keeps your network from being used as a UDP DoS source.

    We use a group to manually define the anti-spoofing network and we only put objects and networks in it that have a need to directly access the Internet and that's not much. I'll bet 95% of our internal network is not defined in the anti-spoofing group because they use a proxy or something else to keep them from accessing the Internet directly. They also don't have any NAT rules applied.

    We don't use a ton of host routes so our routing table is not even close to our anti-spoofing configuration.

    It's all about layers:

    • Not being in the LAN anti-spoof group means no direct UDP Internet access due to a configuration error.
    • Not being in the LAN anti-spoof group or having a NAT rule means no TCP connections in or out due to a misconfiguration.
    • Watching the logs for anti-spoofing messages alerts you to things on your network that should not be there.

Similar Threads

  1. enabling Anti-spoofing
    By twistedmetal in forum Miscellaneous
    Replies: 2
    Last Post: 2009-06-25, 15:52
  2. Anti-spoofing vs Local interface address spoofing
    By braintek in forum Topology Issues
    Replies: 1
    Last Post: 2007-03-23, 15:58
  3. Cluster Anti Spoofing
    By galaxy in forum Miscellaneous
    Replies: 2
    Last Post: 2007-02-15, 06:32
  4. anti-spoofing
    By aallsopp in forum Check Point UTM-1 Edge Appliances
    Replies: 1
    Last Post: 2006-03-23, 12:02
  5. Anti-Spoofing
    By mdelanoche in forum Topology Issues
    Replies: 1
    Last Post: 2005-09-13, 21:00

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •