Configuring IP anti-spoofing

Principle of IP anti-spoofing

IP spoofing consists of usurping a legitimate IP address with the purpose of bypassing configured filter rules. This includes, for example, sending from an external network packets that appear to be going from one internal IP address to another. Without proper verification of the interfaces used, the SNS firewall interprets the request as legitimate and originating from the internal network to the internal network. Malicious traffic can therefore be routed as legitimate traffic in this way.

To prevent such attacks, IP anti-spoofing mechanisms are enabled by default. They verify on each incoming interface whether the source IP address of packets are legitimate. Their legitimacy depends on the network topology defined by:

  • Network interfaces, for networks that are directly connected,

  • The routing table, for remote networks.

In addition to being essential for security, IP anti-spoofing is extremely effective in detecting network configuration errors, e.g., wrongly configured routing rules.

IP anti-spoofing on network interfaces

SNS firewalls use the concept of "internal" interfaces to identify the interfaces that the IP anti-spoofing mechanism recognizes. In Configuration > Network > Interfaces, the type of interface can be configured – a shield appears when IP anti-spoofing is enabled on an interface. From then on, such interfaces will accept only packets with a source address that is from the interface’s switching network. The other interfaces on the SNS firewall will also reject such packets if they are incoming. These IP anti-spoofing rules are applied even before the network filter policy is evaluated.

The list of protected networks is supplied by the routing table. The list of IP addresses allowed to communicate with a protected interface can be filled in by configuring the list as shown in the chapter IP anti-spoofing via the routing table.

R21 | SNS-SMC | Declare internal interfaces
Only interfaces that provide access to a public (Internet) or uncontrolled network must be external. All other interfaces should be configured as protected (internal).

By default, implicit filter rules allow SNS firewalls to be managed from internal interfaces. These rules must be disabled as explained in the chapter Implicit rules.

IP anti-spoofing via the routing table

Static routes inform the SNS firewall about the network topology and implicitly feeds data to IP anti-spoofing mechanisms. Any route going to a remote network that can be reached via an internal interface is added to IP anti-spoofing tables. So if packets with source IP addresses that were declared reachable are received on another interface, they will be rejected even before the network filter policy on the SNS firewall evaluates them. Routes that use external interfaces are not protected because in general, they are used to respond to appliances with source IP addresses that are not known in advance.

R22 | SNS | Define static routes for internal networks
Static routes must be defined for all known internal networks to which the SNS firewall’s interfaces do not belong in order to benefit from IP anti-spoofing mechanisms. These routes are identified by a shield in the Configuration > Network > Routing menu, IPv6 static routes and IPv6 static routes tabs.

IPv4 and IPv6 routes for all remote networks reachable via internal interfaces must be declared. Otherwise, the SNS firewall will always reject their packets.

IP anti-spoofing on a bridge

A bridge makes it possible to connect several physical interfaces on the same network. However, the SNS firewall applies its IP anti-spoofing mechanisms independently on each interface on the bridge. Administrators do not need to apply any specific configuration for this IP anti-spoofing feature when the bridge is enabled.

When appliances are on the same switching network as the SNS firewall, it will keep an updated host table that contains each IP address encountered and the associated physical interface. If an address is detected on an interface other than the one entered, an alarm will be raised.

The host table will contain entries only when SNS firewalls start receiving packets. IP anti-spoofing on the bridge therefore does not protect contacts that are directly connected but have not sent any traffic.

Routing rules are necessary for remote networks, specifying the physical interface used. The IP anti-spoofing via the routing table as explained in the chapter Anti-spoofing via the routing table is used.

Additional rules

The SNS firewall’s native IP anti-spoofing mechanisms cannot recognize some configurations. A certain number of address ranges in particular defined in RFC 5735 are pre-configured on the SNS firewall in a specific group. These ranges belong to private networks and should not be used on a public interface.

R23 | SNS | Complete IP anti-spoofing rules
The IP anti-spoofing rules mentioned earlier should be filled in as much as possible by filter rules deduced from the network topology. For example, address ranges from the RFC 5735 group originating from the Internet should be explicitly prohibited.