here's a snip from the cisco web page PIX 6.1 command reference....
The ip verify reverse-path command lets you specify which interfaces to protect from an IP spoofing attack using network ingress and egress filtering, which is described in RFC 2267. This command is disabled by default and provides Unicast Reverse Path Forwarding (RPF) functionality for the PIX Firewall. The show ip verify command lists the ip verify commands in the configuration. The clear ip verify command removes ip verify commands from the configuration. Unicast RPF is a unidirectional input function that screens inbound packets arriving on an interface. Outbound packets are not screened.
-----Original Message-----
From: Tony Rall [mailto:[EMAIL PROTECTED]]
Sent: Saturday, October 13, 2001 12:26 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX features
On Friday, 2001/10/12 at 12:25 CET, "Bruno Fernandes"
<[EMAIL PROTECTED]> wrote:
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> -is Pix able to identify/block IP-spoofing?
> Yes
The only way I know of for a Pix, or any type of box, to identify spoofing
is by filters that know which source addresses are permissible for
incoming traffic on an interface. With some Cisco IOS versions (not
available on Pix) you can use "ip verify unicast reverse-path" - a very
nice trick that uses the box's routing table to determine whether to allow
a source address. The address, when used as a destination, must be routed
out the same interface it arrived on; else it gets discarded. Boxes
without such a nice control have to have hardcoded access lists which
statically permit only the source addresses that the admin thinks should
be arriving on an interface.
But that only works for interfaces which don't have a default route and
that don't use dynamic routing (which is not, unfortunately, an issue on
the Pix). If the Pix is connected to the Internet typically its outside
interface will be configured with a default route. There is no way it can
identify or block spoofed traffic arriving at such an interface (but it
can, if so configured with access lists, block address ranges that it
knows should never arrive on that interface, such as rfc1918 addresses and
its own inside address ranges).
My answer to the original question is that Pix cannot identify spoofing
(but it can statically filter by address, which may be used to block
spoofing in some cases).
Tony Rall
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
