Configuring IP address spoofing protection

Introduction to IP address spoofing protection

IP address spoofing consists of usurping a legitimate IP address with the purpose of bypassing configured filter rules. This includes, for example, sending from an external network packets that appear to be going from one internal IP address to another. Without proper verification of the interfaces used, the SNS firewall interprets the request as legitimate and originating from the internal network to the internal network. Malicious traffic can therefore be routed as legitimate traffic in this way.

To prevent such attacks, anti-spoofing mechanisms are enabled by default. They verify on each incoming interface whether the source IP address of packets are legitimate. Their legitimacy depends on the network topology defined by:

  • Network interfaces, for networks that are directly connected,

  • The routing table, for remote networks.

INFORMATION
In addition to being essential for security, anti-spoofing is extremely effective in detecting network configuration errors, e.g., wrongly configured routing rules.

IP address spoofing protection on network interfaces

SNS firewalls use the concept of "internal" interfaces to identify the interfaces that the anti-spoofing mechanism recognizes. In Configuration > Network > Interfaces, the type of interface can be configured – a shield appears when anti-spoofing is enabled on an interface. From then on, such interfaces will accept only packets with a source address that is from the interface’s switching network. The other interfaces on the SNS firewall will also reject such packets if they are incoming. These anti-spoofing rules are applied even before the network filter policy is evaluated.

INFORMATION
The routing table updates the list of protected networks. The list of IP addresses that are allowed to communicate with a protected interface can be filled in by configuring it as shown in the chapter Anti-spoofing via the routing table.

R21 | SNS-SMC | Declare internal interfaces
Only interfaces that provide access to a public network (Internet) or uncontrolled network have to be external. We recommend configuring all other interfaces as protected (internal) interfaces.

WARNING
By default, implicit filter rules allow SNS firewalls to be managed from internal interfaces. These rules must be disabled as explained in the chapter Implicit rules.

Anti-spoofing via the routing table

Routes inform the SNS firewall about the network topology and implicitly feeds data to anti-spoofing mechanisms. Any route going to a remote network that can be reached via an internal interface is added to anti-spoofing tables. As such, if packets with source IP addresses that were declared reachable are received on another interface, they will be rejected even before the network filter policy on the SNS firewall evaluates them. Routes that use external interfaces are not protected because in general, they are used to respond to appliances with source IP addresses that are not known in advance.

R22 | SNS | Define static routes for internal networks
Static routes must be defined for all known internal networks to which the SNS firewall’s interfaces do not belong, in order to benefit from anti-spoofing mechanisms. These routes are identified in Configuration > Network > Routing, IPv4 static routes and IPv6 static routes tab with a shield.

WARNING
IPv4 and IPv6 routes for all remote networks that can be reached via internal interfaces must be declared. Otherwise, the SNS firewall will always reject their packets.

Anti-spoofing on bridges

A bridge makes it possible to connect several physical interfaces on the same network. However, the SNS firewall applies its anti-spoofing mechanisms independently on each interface on the bridge. Administrators do not need to apply any specific configuration for this anti-spoofing feature when the bridge is enabled.

When appliances are on the same switching network as the SNS firewall, it will keep an updated host table that contains each IP address encountered, and the associated physical interface. If an address is detected on an interface other than the one entered, an alarm will be raised.

WARNING
The host table will contain entries only when an SNS firewall starts receiving packets. Anti-spoofing on the bridge therefore does not protect contacts that are directly connected but have not yet sent any traffic.

Routing rules are necessary for remote networks, specifying the physical interface used. Anti-spoofing via the routing table, as explained in chapter Anti-spoofing via the routing table, is used.

Additional rules

The SNS firewall’s native anti-spoofing mechanisms cannot recognize some configurations. A certain number of address ranges in particular defined in RFC 5735 are pre-configured on the SNS firewall in a specific group. These ranges belong to private networks and should not be used on a public interface.

R23 | SNS | Provide details with IP address spoofing rules
The anti-spoofing rules mentioned earlier should be filled in as much as possible by filter rules deduced from the network topology. For example, address ranges from the RFC 5735 group originating from the Internet should be explicitly prohibited.