Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

IP source routing on Checkpoint

Jump to solution

Hi Guys,

Recently I had the chance to work on Hardening of firewall's.

And we have advised to the Disable source routing (Forbid IP source-route) on the firewall device's.

Few lines about source nat.
------------------------------------------------------------------
"Source routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network. As a packet travels through the network, each router will examine the destination IP address and choose the next hop to forward the packet to. In source routing, the "source" (i.e., the sender) makes some or all of these decisions.


Reason for disabling: Attackers can use source routing to probe the network by forcing packets into specific parts of the network. Using source routing, an attacker can collect information about a network's topology, or other information that could be useful in performing an attack. During an attack, an attacker could use source routing to direct packets to bypass existing security restrictions.
-----------------------------------------------------------------------

We have command in cisco devices to disable the ip source nat by giving the command "no ip source-route"

Could anyone recommended if we have any specific settings available ? As per my understanding this setting is not applicable to CheckPoint firewall. 

 

Regards,

Vengatesh SR

 

0 Kudos
2 Solutions

Accepted Solutions
Highlighted

Re: IP source routing on Checkpoint

Jump to solution

Hello,

Good question!

As the Advanced Routing guides can demonstrate, Check Point uses traditional routing based on the packets' destination and there is no mention of source routing or path addressing as it is also known.

The closest feature to source routing on Check Point is policy-based routing since it would allow you to create routing tables based on the source IP address and subnet mask. For more information please see sk100500.

Provided you are not using policy-based routing already, I would say there is nothing to worry about.

I hope this helps.

View solution in original post

0 Kudos
Highlighted

Re: IP source routing on Checkpoint

Jump to solution

according to disable-source-routing it look´s like it is disabled on GAIA:

[Expert@FW1-1:0]# sysctl net.ipv4.conf.all.accept_source_route
net.ipv4.conf.all.accept_source_route = 0

 

per sk62082 "Check Point Security Gateway will drop any TCP/UDP packet with IP options." which includes Source Routing

per sk39374 IPv6 extension headers (including Routing Headers) are disabled per default

View solution in original post

2 Replies
Highlighted

Re: IP source routing on Checkpoint

Jump to solution

Hello,

Good question!

As the Advanced Routing guides can demonstrate, Check Point uses traditional routing based on the packets' destination and there is no mention of source routing or path addressing as it is also known.

The closest feature to source routing on Check Point is policy-based routing since it would allow you to create routing tables based on the source IP address and subnet mask. For more information please see sk100500.

Provided you are not using policy-based routing already, I would say there is nothing to worry about.

I hope this helps.

View solution in original post

0 Kudos
Highlighted

Re: IP source routing on Checkpoint

Jump to solution

according to disable-source-routing it look´s like it is disabled on GAIA:

[Expert@FW1-1:0]# sysctl net.ipv4.conf.all.accept_source_route
net.ipv4.conf.all.accept_source_route = 0

 

per sk62082 "Check Point Security Gateway will drop any TCP/UDP packet with IP options." which includes Source Routing

per sk39374 IPv6 extension headers (including Routing Headers) are disabled per default

View solution in original post