I'm planning to implement IP drop - under Zone protection on a production system. I'm really only interested in the ' IP Spoofing ' aspect & I'd like to understand a little more on how it works so that I can addresses any issues, should they arise. Is the basis of IP spoofing to stop any RFC 1918 addresses from coming into the FW from the untrusted zone ?
High level setup.
Two interfaces - one Untrusted zone with connectivity to the Internet and the other on the trust Zone, the local subnets live behind this trusted zone.
I have a couple of static routes within the VR
0.0.0.0/0 to the ISP's Router
192.168.60.X/24 pointing to the internal L3 Switch for routing to the Local LAN
From what I have read I'm understanding the following.
The zone protection is applied to the Untrusted Zone ?
This will check the source IP address of the inbound packet ?
This will check the routing table to check that the source IP is expected on that Untrusted Interface ?
I wanted to look at the following and if the packet would get dropped because of IP spoofing or not.
From my internal network src=192.168.50.150 a client needs to get out to the Internet to 18.104.22.168
The IP drop check will be done on the interface connected to the ISP and applied ingress
The traffic outbound from the client to the Internet would be allow, since I'm not checking anything on that trusted Interface.
The return traffic would come into the FW and be checked. since the routing tables allows all traffic with the 0.0.0.0/0 , this traffic would be allowed. The orginial source ( from the .150 ) address internally would also be allowed since this subnet is also within the routing table and on a interface which is the firewall expects it to be in , ie. LAN / Trust side. Does this sound correct ?
If the source client address was 172.16.100.1 for example, then this traffic would be allowed out to the Internet but the return traffic would be dropped, since the FW would check the destination and not find it in the routing table for that internal interface ? Is this correct ?
Inbound from the Untrusted Zone would allow any IP address except any subnet found on the Trusted Zone routing table or Interface ??
Ideally apply zone protection to all interfaces for maximum protection
spoofing will use the routing table to determine where IP subnets 'live' and block inbound packets that should come from a different zone (ie. 192.168.50.1 coming in on the untrust interface)
Spoofing can also only be applied to the first packet in a session, if you initiate a session from inside, it is 1. to be assumed your destination IP is not spoofed (as it is reachable through routing) and 2. impossible to verify if the external ip is spoofed as your internal agent made a connection to it.
if someone were to try an injection attack, other defence mechnisms will check for logic (sequence numbers etc) in the flow to deter such attacks
in your example 172.16.100.1 would only be allowed out if you have zone protection on the external zone exclusively, adding zone protection on al zones would prevent this
if the packet were to be allowed outside, you are in fact spoofing that IP: return packets would never return to you as routing decissions upstream (your ISP or next hop) would try to get the packet to the actual owner of the IP (most ISPs will discard rfc1918 ips)
If the packet were to be returned to you, the firewall would discard the packet as there is no route back to the client, but this would be a routing action, not a spoofing action (as antispoofing is only performed on the first packet in a session)
hope this helps
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!