Frank and Matthew,
The IP Spoofing prevention is configured in the object profile for each
firewall you have.
If you go to the Network Objects manager and bring up the profile for
your firewall, you will find some entries at the end of each interface.
Basically, you define the networks that are on each "side" of the
firewall so that the system is now "directionally-aware" of the networks
and can determine when someone is trying to spoof the firewall.
C Matthew Curtin wrote:
>
> >>>>> "Frank" == Frank Kargl <Frank .
Kargl @
rz .
uni-ulm .
de> writes:
>
> Frank> My question is, wether and how the FW-1 software is able to get
> Frank> it right to deny spoofed packets on the exterior interface
> Frank> claiming to be one of the internal hosts (esp. the server) or
> Frank> if this setup means any severe security risk.
>
> I haven't worked a LOT with Firewall-1, so I'll have to answer
> generically, and you'll need to figure out how to apply that to your
> setup.
>
> The bastion host, access router, and perhaps other components as well
> (i.e., your Firewall-1 box) should have rules that specifically say to
> deny packets that hit your external interface that have the source
> address set to be something that's yours.
>
> It's easy when you've separate network addresses (i.e., not subnetted
> to death), but becomes more difficult otherwise. I suspect that you'll
> need to put in a rule for each of your internal hosts given that setup
> you've got.
>
> One thing you might want to consider doing is using RFC1918 addressing
> for your internal networks, and saving all of the IP addresses from
> the ISP for your externally visible hosts. I believe that the
> Firewall-1 will do network address translation (NAT), so it shouldn't
> be a problem for you, even if you're working in a proxiless mode.
>
> http://www.cis.ohio-state.edu/htbin/rfc/rfc1918.html
>
> You also might want to consider adding ACLs on "Cisco1" that deny
> packets for anything from the intenral Cisco1 interface on back into
> your private network. That way, if you get *anything* tripping FW-1's
> alarm for a forged packet, you know that something is amiss on the
> access router, and can probably safely assume that you're being
> attacked by someone who got through your router.
>
> --
> Matt Curtin cmcurtin @
research .
megasoft .
com Megasoft, Inc Chief Scientist
> http://www.research.megasoft.com/people/cmcurtin/ I speak only for myself.
> Hacker Security Firewall Crypto PGP Privacy Unix Perl Java Internet Intranet
--
__________________________________
David Helms
Senior Technical Consultant
CheckPoint Software Technologies
ph 703.684.4824
fx 703.684.4847
davidh @
checkpoint .
com
__________________________________
References:
|
|
