Incoming filter policy in IPsec VPN tunnels

A hacker on the network can send traffic to the SNS firewall by spoofing a legitimate peer’s red address. These unencapsulated messages must be identified and rejected. Traffic can be blocked with a filter rule that allows plaintext traffic only if it originates from an IPsec VPN tunnel. If the tunnel has not been set up, it will be systematically blocked.

When editing a filter rule, the IPsec VPN tunnel value must be entered in the Source > Advanced properties > Via field.

On an SNS firewall, this feature can be configured in Configuration > Security policy > Filter - NAT > Filtering.

On an SMC server, this feature can be configured in Configuration > Firewalls and folders > Filter rules.

R42 | SNS-SMC | Confirm the source of incoming traffic
Indicate the source of the traffic, which can only be accessed through a VPN tunnel to filter traffic arriving in plaintext with the same source address.

In addition, the security policies of each IPsec VPN tunnel ensure that traffic passes through the tunnel that they deem legitimate.

IP address spoofing protection on IPsec VPN tunnels

SNS firewalls treat IPsec VPN tunnel endpoints as interfaces. As such, the status of an internal interface, explained in the chapter IP address spoofing protection on network interfaces, also applies to them. In Configuration > Application protection > Inspection profiles, the option Treat IPsec interfaces (except virtual IPsec interfaces) as internal interfaces. Applies to all tunnels - remote networks will need to be explicitly legitimized. This option increases the network’s security when it is associated with appropriately defined routes and filter rules.

R43 | SNS-SMC | Declare the internal VPN interface
VPN interfaces that are considered "internal” should be declared to benefit from anti-spoofing mechanisms.