On Saturday, 2001/10/13 at 14:12 MST, bob bobing <[EMAIL PROTECTED]> wrote: > Are you sure it can't find, deny, and log spoofed connections? > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/syslog/pixemapa.htm > > search for spoof...
You're right, Pix 5.2 appears to have added support for blocking source addresses that aren't routed out the same interface they arrived on. Note that no machine can know for sure that a source address has been spoofed; the most it can conclude is that some addresses are not to be expected on some interfaces. One message that pertains to spoof protection is: >> %PIX-1-106021: Deny protocol reverse path check from src_addr to dest_addr on interface int_name Explanation Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path Forwarding, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes it to be part of an attack on your PIX Firewall. << Again, the Pix cannot be sure that the address was spoofed. All it knows is that he doesn't expect to see it on some interfaces. This occurs only if you configure "ip verify reverse-path". Note that this couldn't occur if you have a default route on that interface, which a Pix generally does on its outside interface. So this couldn't help for spoofing that is hitting you from the Internet. Msg 106022, below, applies to existing connections and only when you do NOT specify "ip verify reverse-path": >> %PIX-1-106022: Deny protocol connection spoof from src_addr to dest_addr on interface int_name Explanation This message only happens if a connection exists and a packet matching the connection arrives on a different interface than what interfaces the connection began on. For example, if a user starts a connection on the inside interface, but the PIX Firewall detects the same connection arriving on a perimeter interface, then either the PIX Firewall has more than one path to a destination, which is known as asymmetric routing and is not supported on the PIX Firewall, or an attacker is attempting to append packets from one connection to another as a way to break into the PIX Firewall. In either case, PIX Firewall displays this message and drops the connection. Action This message appears when ip verify reverse-path is not configured. Ensure routing is not asymmetric. << As the message mentions, none of these methods work when routing is asymmetric. A typical Pix configuration is to only allow outbound traffic. In that case, you don't really need the above features, since the only inbound traffic that will be allowed is traffic that it already has in its connection table (traffic that initiated from the inside). When a Pix is used to protect servers that allow connections from the Internet, the above features also typically won't help you stop spoofing from the Internet (except maybe spoofing of your own internal addresses), since the Pix will have a default route on its Internet interface. Regardless, I applaud Cisco for doing what it can to detect and block some kinds of traffic that could be spoofed. Tony Rall _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
