I'm planning to implement IP drop - under Zone protection on a production system. I'm really only interested in the ' IP Spoofing ' aspect & I'd like to understand a little more on how it works so that I can addresses any issues, should they arise. Is the basis of IP spoofing to stop any RFC 1918 addresses from coming into the FW from the untrusted zone ? High level setup. Two interfaces - one Untrusted zone with connectivity to the Internet and the other on the trust Zone, the local subnets live behind this trusted zone. I have a couple of static routes within the VR 0.0.0.0/0 to the ISP's Router 192.168.50.X/24 192.168.60.X/24 pointing to the internal L3 Switch for routing to the Local LAN From what I have read I'm understanding the following. The zone protection is applied to the Untrusted Zone ? This will check the source IP address of the inbound packet ? This will check the routing table to check that the source IP is expected on that Untrusted Interface ? I wanted to look at the following and if the packet would get dropped because of IP spoofing or not. From my internal network src=192.168.50.150 a client needs to get out to the Internet to 220.127.116.11 The IP drop check will be done on the interface connected to the ISP and applied ingress The traffic outbound from the client to the Internet would be allow, since I'm not checking anything on that trusted Interface. The return traffic would come into the FW and be checked. since the routing tables allows all traffic with the 0.0.0.0/0 , this traffic would be allowed. The orginial source ( from the .150 ) address internally would also be allowed since this subnet is also within the routing table and on a interface which is the firewall expects it to be in , ie. LAN / Trust side. Does this sound correct ? If the source client address was 172.16.100.1 for example, then this traffic would be allowed out to the Internet but the return traffic would be dropped, since the FW would check the destination and not find it in the routing table for that internal interface ? Is this correct ? Inbound from the Untrusted Zone would allow any IP address except any subnet found on the Trusted Zone routing table or Interface ??
... View more