[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] How to prevent IP address spoofing?
Dean, Antispoofing is a bit tricky at times... especially if you are doing NAT. Try not to mix up your security policy rule base with AntiSpoofing...(although they are finally within the same policy that is enforced by the inspection module...) If this is practical at all, you knowing your network better, my suggestion would be to do the following (based on the info you are giving): 1. If you are NOT doing any network address translation: Set the Interfaces like so e1 others e2 this net e3 specific[group object with all internal networks] 2. If you are doing network address translation, remember that routing occurs before translation. So, the packets are routed and checked for anti-spoofing before they are translated... Set the interfaces like so e1 others+ [Group containing NATed addresses defined on e2 and e3] e2 specific [Group containing dmz net, and NATed addresses to dmz] e3 specific [Group containing internal nets, and NATed addresses to internal nets] You need to define the NATed addresses that occur on e2 and e3 on e1; because, the packet will appears on either both e1 and e2 or e1 and e3. Hope this helps... Amin Tora ePlus Technology Inc. http://www.eplus.com This message may contain confidential and/or proprietary information, and is intended only for the person / entity to whom it was originally destined. The use of this information and unauthorized access to this information for any other means is strictly prohibited. The content of this message may also contain private views and opinions that do not constitute a formal disclosure or commitment unless specifically stated. -----Original Message----- From: Dean Landis II [mailto:[email protected]] Sent: Friday, January 05, 2001 11:36 PM To: [email protected] Subject: [FW1] How to prevent IP address spoofing? I am trying to prevent address spoofing and have reviewed the manuals about Workstation security properties on each workstation/firewall interface but can't figure out exactly how to implement what I want. Perhaps workstation properties isn't even the correct place. Basically this is my network (addresses changed a bit): Internet \ \ 66.1.1.1 s1 Rtr 10.0.0.1 e1 \ \ \ 10.0.0.2 e1 | FW1 10.1.1.1 e2 - - - - |- - DMZ Machines on 10.1.1.0 network 10.2.1.1 e3 | \ \ |--------------| Internal networks on 10.2.0.0 thru 10.254.0.0 Basically I only want specific 10.x.x.x IP's to be let in via a GRE tunnel from the internet on the S1 interface of the router. Think I need to specify a rule for the 10.x.x.x IP on the e1 interface of the FW1. I also only want certain 10.x.x.x networks to come into the e2 interface. I don't want to specify every valid/invalid 10.x.x.x network. I would like to apply the firewall rules to a specific interface of the FW1 firewall as in: Let 10.100.x.x in thru FW1 e1 but stop everything else. Let 10.1.1..x into e2 but stop everything else. It is also possible that e2 may have other networks cascaded off it and they need to be allowed into e2 as well. Right now I am unable to specify an 'inside' or 'outside' so I either permit all 10's anywhere or deny them everywhere. Would appreciate any assistance on this. Thx, Dean Dean Landis II Landis.net ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|