Are you sure it can't find, deny, and log spoofed connections? http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/syslog/pixemapa.htm
search for spoof... > The only way I know of for a Pix, or any type of > box, to identify spoofing > is by filters that know which source addresses are > permissible for > incoming traffic on an interface. With some Cisco > IOS versions (not > available on Pix) you can use "ip verify unicast > reverse-path" - a very > nice trick that uses the box's routing table to > determine whether to allow > a source address. The address, when used as a > destination, must be routed > out the same interface it arrived on; else it gets > discarded. Boxes > without such a nice control have to have hardcoded > access lists which > statically permit only the source addresses that the > admin thinks should > be arriving on an interface. > > But that only works for interfaces which don't have > a default route and > that don't use dynamic routing (which is not, > unfortunately, an issue on > the Pix). If the Pix is connected to the Internet > typically its outside > interface will be configured with a default route. > There is no way it can > identify or block spoofed traffic arriving at such > an interface (but it > can, if so configured with access lists, block > address ranges that it > knows should never arrive on that interface, such as > rfc1918 addresses and > its own inside address ranges). > > My answer to the original question is that Pix > cannot identify spoofing > (but it can statically filter by address, which may > be used to block > spoofing in some cases). __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
