Vulnerability Development mailing list archives
Re: Automatic antispoofing rules on access servers.
From: Leon Rosenstein <l_rosenstein () MONTELSHOW COM>
Date: Wed, 20 Sep 2000 09:38:27 -0400
I have used Sonicwalls before and I believe (note the word believe I don't know for concrete fact) that they work like this; the Sonicwall caches all outbound connections and then matches them up with returning inbound connections. If it does not have the originating connection cached it will drop the inbound connection (this is how it protects against spoofing). This sets up a very annoying sequence when the return connection (the inbound one) does not "match up" to where (portwise) the Sonicwall thinks it should be. I found this particularly annoying with liveupdate from Symantec (among others). The firewall would cache the connection, expect it to come back on a certain port number and when it would comeback on a different one it would just drop it. I am not sure but I believe this how stateful packet inspection works. Please correct me (in public or private) if I am wrong cause there is a good chance I am. The typical prepackaged firewall configuration will only block things so badly spoofed that there is no way that the return address could be real. E.G. A packet with an address from the 10.0.0.0/8 subnet should never be seen outside of a private network. So if such comes in from your dsl provider, it is a no brainer to drop it on the floor. I think that most consumer grade firewalls mean this when they advertise spoofing protection. If you are only managing a single subnet, this is about as much protection as you would get from the cisco rpf stuff. There is only one route, and if something comes in from the outside with a real IP that you don't own, you can't tell if it was spoofed. Once you have multiple subnets with static routes between them, you can hand write packet filter rules to protect you from internal spoofing. Packets from this subnet should not be heading out of that subnet, etc. Once you have dynamic routes, the cisco rpf stuff starts to look real exciting. External spoofing protection is still little better than the abovementioned 'drop those from private nets' because there isn't do much better. When your topology is simple in the sense that you have all untrusted clients within subnets, each subnet having one router connecting to a backbone, then there is a simpler (and cheaper) approach which accomplishes the same thing. Add a rule to each router which only lets out packets who's return address is in the subnet. While you'll never know for certain which machine a packet came from, you'll at least know that your resident script kiddies are more limited in who they can pretend to be.
Current thread:
- Re: Automatic antispoofing rules on access servers. LOS Ralph (Sep 19)
- Re: Automatic antispoofing rules on access servers. Ben Galehouse (Sep 19)
- Re: Automatic antispoofing rules on access servers. Crist Clark (Sep 20)
- <Possible follow-ups>
- Re: Automatic antispoofing rules on access servers. Jeffrey Karpenko (Sep 20)
- Re: Automatic antispoofing rules on access servers. Leon Rosenstein (Sep 20)
- Re: Automatic antispoofing rules on access servers. Ben Galehouse (Sep 20)
- Re: Automatic antispoofing rules on access servers. Ben Galehouse (Sep 19)