Solved

ip spoofing

Posted on 2014-09-10
3
266 Views
Last Modified: 2014-09-12
I have seen what should be default rules for firewalls described as
deny any address from your internal network
deny any local host addresses ( example 127.0.0.1 )
deny any reserved private addresses
deny any addresses in the IP multicast address range
then i also saw this advise
"have separate inbound and outbound ACL's to ensure that the data that's leaving the network comes from a different source than data that's coming into the network"
so I think i get the last one, I thought that would be a way to prevent IP spoofing. because if someone is spoofing, the data they are sending will actually be coming from the outside. Does that sound right?
I really can't picture the purpose of the other rules though. for instance, why would i want to " deny any address from your internal network" wouldn't that mean that if one of my interior network addresses is 192.168.0.2, and if the firewall denies data from that address ( the internal network ) then that client couldn't, for example, send requests to web servers to look at web pages. that person would click on a link, and that request is denied on the firewall? is that what that means?
basically if someone has some good visuals of what is happening with these firewall rules, i would really appreciate it.
0
Comment
Question by:JeffBeall
3 Comments
 
LVL 32

Accepted Solution

by:
harbor235 earned 250 total points
ID: 40316947
""have separate inbound and outbound ACL's to ensure that the data that's leaving the network comes from a different source than data that's coming into the network""

Right, you want to add a outbound filter that allows traffic sourced from your internal networks, this guarantees no-one is spoofing traffic from your internal networks,  , if everyone implemented outbound filters then the traffic originating from their networks would be o0nly legitimate traffic from their IP blocks only.

"deny any address from your internal network"


harbor235 ;}
This is for the inbound filter and its for traffic sourced from your internal nets, this means you should never receive traffic from the outside sourced from your internal nets, you see? you nets are on the inside how can they be outside?
0
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 250 total points
ID: 40317445
"have separate inbound and outbound ACL's to ensure that the data that's leaving the network comes from a different source than data that's coming into the network" means:
Create an inbound list which denies traffic sourced from your own public addresses, and an outbound list which ONLY allows traffic from your own public addresses. Does that make sense? Then no one can send you data with your source address, and no one on your network can spoof someone else's addressing (good internet citizen).

Your policies should also deny PRIVATE addresses from coming in. And unless you are doing NAT on the outside of the firewall, it should also deny private addresses from going out.
0
 
LVL 1

Author Closing Comment

by:JeffBeall
ID: 40320158
thank you.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question