On Friday, 2001/10/12 at 12:25 CET, "Bruno Fernandes" <[EMAIL PROTECTED]> wrote: > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > -is Pix able to identify/block IP-spoofing? > Yes
The only way I know of for a Pix, or any type of box, to identify spoofing is by filters that know which source addresses are permissible for incoming traffic on an interface. With some Cisco IOS versions (not available on Pix) you can use "ip verify unicast reverse-path" - a very nice trick that uses the box's routing table to determine whether to allow a source address. The address, when used as a destination, must be routed out the same interface it arrived on; else it gets discarded. Boxes without such a nice control have to have hardcoded access lists which statically permit only the source addresses that the admin thinks should be arriving on an interface. But that only works for interfaces which don't have a default route and that don't use dynamic routing (which is not, unfortunately, an issue on the Pix). If the Pix is connected to the Internet typically its outside interface will be configured with a default route. There is no way it can identify or block spoofed traffic arriving at such an interface (but it can, if so configured with access lists, block address ranges that it knows should never arrive on that interface, such as rfc1918 addresses and its own inside address ranges). My answer to the original question is that Pix cannot identify spoofing (but it can statically filter by address, which may be used to block spoofing in some cases). Tony Rall _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
