- May 2, 2005
Spoofing refers to an attacker forging the source address of a packet to make it look as though it comes from a higher security network. Because the rule base looks at IP addresses, among other things, if someone could spoof the source address of a connection, it could be used to allow a connection that would otherwise not be allowed.
Check Point implements anti-spoofing measures by checking the source address of every packet against a predefined view of the network layout (called the topology). Figure 3.7 shows a case in which spoofing is happening. The BadGuy host is attempting to send a packet to Host2 that looks as though it is from Host1. Because the packet is being received on interface 1, but the source address belongs to a network on interface 2, it is being spoofed.
Figure 3.7 A network in which spoofing is happening.
To properly protect yourself against IP spoofing, you must define the topology of your network within each gateway’s topology property. Figure 3.8 shows the topology properties of a sample enforcement point.
Figure 3.8 General topology properties of a gateway.
Each interface and its corresponding IP address is listed in the topology. The name of the interface must be the same as it is in the underlying OS. Using the Get button, you can populate these entries automatically through SVN Foundation. When clicking Get, you have the option of simply pulling down the interface name and network information, or also calculating the per-interface topology, which is shown in Figure 3.9.
Figure 3.9 Detailed topology configuration of an interface.
To properly implement anti-spoofing, the enforcement point must know all the possible addresses that can come from a particular interface. There are three options, not including "undefined":
Internal, defined by interface IP and netmask
Internal, defined by a specific network object
Internal topologies are used for your internal network, in which you understand all the networks. If there are no networks beyond the locally connected interface, you can choose to use the interface’s IP and netmask to define the topology (such as a stub network). If there are networks beyond the interface, such as those connected by a router or another firewall, then you should create a group object containing all the network objects, and choose the Specific option, selecting your group object.
An external interface includes all the networks that are not covered by the internal interfaces. Put another way, a network is valid on an external interface if it is not defined as part of an internal interface. Figure 3.10shows a sample network that uses the three types.
Figure 3.10 A network making use of the three types of topology settings.
The interface on 192.168.1.0/24 has no networks attached, so it can be defined by using the configured IP and netmask. Only packets with a source IP in that network will be accepted on that interface. The adjacent interface has 192.168.2.0/24 connected locally, but also 192.168.3.0/24 on a locally attached router. Thus, a group object will have to be created with the two network objects inside of it. The remaining interface, connected to the Internet, is an external interface, so the networks on it are irrelevant. Anything except for 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 will be considered valid.
There are two more rules that might come in handy:
The same network can appear on multiple internal interfaces.
You can have multiple interfaces defined as external.
In the first case, it is possible for a network to be valid on multiple internal interfaces, such as having multiple paths to the same destination. However, it cannot appear to be coming from any external interfaces (by definition of an external interface). In the second case, the same behavior of calculating external topology applies to all externally defined interfaces—that is, any network not included on any of the internal interfaces is valid on all external interfaces.