Incoming filter policy in an IPsec VPN

A network attacker can send traffic to the SNS firewall by spoofing a legitimate peer’s red address. These unencapsulated messages must be identified and rejected. Traffic can be blocked with a filter rule that allows plaintext traffic only if it originates from an IPsec VPN tunnel. If the tunnel has not been set up, it will be systematically blocked.

When editing a filter rule, the IPsec VPN tunnel value must be entered in the Source > Advanced properties > Via field.

On an SNS firewall, this is configured in Configuration > Security policy > Filtering and NAT > Filtering.

On an SMC server, this is configured in Configuration > Firewalls and folders > Filter rules.

R42 | SNS-SMC | Confirm the source of incoming traffic
Indicate the source of the traffic, which can only be accessed through a VPN tunnel to filter traffic arriving in plaintext with the same source address.

In addition, the security policies of each IPsec VPN tunnel ensure that traffic passes through the tunnel that they deem legitimate.

IP anti-spoofing on IPsec VPN tunnels

An SNS firewall treats IPsec VPN tunnel endpoints as an interface. As such, the status of an internal interface, explained in chapter IP anti-spoofing on network interfaces, also applies to them. In Configuration > Application protection > Inspection profiles, the Treat IPsec interfaces as internal interfaces (except virtual IPsec interfaces) option can be enabled. Applies to all tunnels: remote networks must be explicitly legitimized. When this option is used together with a route definition and filter rules, security on the network is increased.

R43 | SNS-SMC | Declare internal VPN interfaces
The VPN interface considered "internal” should be declared to benefit from mechanisms that prevent IP addresses from being spoofed.