IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
Configuring IP anti-spoofing
Concept of IP anti-spoofing
IP spoofing consists of usurping a legitimate IP address with the purpose of bypassing configured filter rules. This includes, for example, sending from an external network packets that appear to be going from one internal IP address to another. Without proper verification of the interfaces used, the firewall interprets the request as legitimate and originating from the internal network to the internal network. Malicious traffic can therefore be routed as legitimate traffic in this way.
To prevent such attacks, anti-spoofing mechanisms are enabled by default. They verify on each incoming interface whether the source IP address of packets are legitimate. Their legitimacy depends on the network topology defined by:
-
Network interfaces, for networks that are directly connected,
-
The routing table, for remote networks.
INFORMATION
In addition to being essential for security, IP anti-spoofing is extremely effective in detecting network configuration errors, e.g., wrongly configured routing rules.
Anti-spoofing on network interfaces
SNS firewalls use the concept of "internal" interfaces to identify the interfaces that the anti-spoofing mechanism recognizes. In Network > Interface > Interface configuration, the type of interface can be configured – a shield appears when anti-spoofing is enabled on an interface. From then on, such interfaces will accept only packets with a source address that is from the interface’s switching network. The other interfaces on the firewall will also reject such packets if they are incoming. These anti-spoofing rules are applied even before the network filter policy is evaluated.
INFORMATION
The list of IP addresses allowed to access an internal interface can be added to by using anti-spoofing via the routing table as described in chapter Anti-spoofing via the routing table.
R21 | Declare internal interfaces
To benefit from anti-spoofing mechanisms, one or several internal interfaces should be declared.
WARNING
Implicit filter rules allow appliances to be managed from internal interfaces. These rules must be disabled as explained in chapter Implicit rules.
Anti-spoofing via the routing table
Static routes inform the firewall about the network topology and implicitly feeds data to anti-spoofing mechanisms. Any route going to a remote network that can be reached via an internal interface is added to anti-spoofing tables. So if packets with source IP addresses that were declared reachable are received on another interface, they will be rejected even before the network filter policy on the firewall evaluates them. Routes that use external interfaces are not protected because in general, they are used to respond to appliances with source IP addresses that are not known in advance.
R22 | Define static routes for internal networks
Static routes must be defined for all known internal networks to which the firewall’s interfaces do not belong in order to benefit from anti-spoofing mechanisms. These routes are identified in Network > Routing > Static routing with a shield.
WARNING
Routes for all remote networks reachable via internal interfaces must be declared. Otherwise, the firewall will always reject their packets.
Anti-spoofing on a bridge
A bridge makes it possible to connect several physical interfaces on the same network. However, the firewall applies its anti-spoofing mechanisms independently on each interface on the bridge. Administrators do not need to apply any specific configuration for this anti-spoofing feature when the bridge is enabled.
When appliances are on the same switching network as the firewall, it will keep an updated host table that contains each IP address encountered and the associated physical interface. If an address is detected on an interface other than the one entered, an alarm will be raised.
WARNING
The host table will contain entries only when appliances start sending packets. Anti-spoofing on the bridge therefore does not protect contacts that are directly connected but have not sent any traffic.
Routing rules are necessary for remote networks, specifying the physical interface used. Anti-spoofing via the routing table as explained in chapter Anti-spoofing via the routing table is used.
Additional rules
The appliance’s native anti-spoofing mechanisms cannot recognize some configurations. A certain number of address ranges in particular defined in RFC 5735 are pre-configured on the appliance in a specific group. These ranges belong to private networks and should not be used on a public interface.
R23 | Fill in anti-spoofing rules
The anti-spoofing rules mentioned earlier should be filled in as much as possible by filter rules deduced from the network topology. For example, address ranges from the RFC 5735 group originating from the Internet should be explicitly prohibited.