Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vengatesh_SR
Contributor
Jump to solution

IP source routing on Checkpoint

Hi Guys,

Recently I had the chance to work on Hardening of firewall's.

And we have advised to the Disable source routing (Forbid IP source-route) on the firewall device's.

Few lines about source nat.
------------------------------------------------------------------
"Source routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network. As a packet travels through the network, each router will examine the destination IP address and choose the next hop to forward the packet to. In source routing, the "source" (i.e., the sender) makes some or all of these decisions.


Reason for disabling: Attackers can use source routing to probe the network by forcing packets into specific parts of the network. Using source routing, an attacker can collect information about a network's topology, or other information that could be useful in performing an attack. During an attack, an attacker could use source routing to direct packets to bypass existing security restrictions.
-----------------------------------------------------------------------

We have command in cisco devices to disable the ip source nat by giving the command "no ip source-route"

Could anyone recommended if we have any specific settings available ? As per my understanding this setting is not applicable to CheckPoint firewall. 

 

Regards,

Vengatesh SR

 

0 Kudos
2 Solutions

Accepted Solutions
Nick_Doropoulos
Advisor

Hello,

Good question!

As the Advanced Routing guides can demonstrate, Check Point uses traditional routing based on the packets' destination and there is no mention of source routing or path addressing as it is also known.

The closest feature to source routing on Check Point is policy-based routing since it would allow you to create routing tables based on the source IP address and subnet mask. For more information please see sk100500.

Provided you are not using policy-based routing already, I would say there is nothing to worry about.

I hope this helps.

View solution in original post

0 Kudos
Matthias_Haas
Advisor

according to disable-source-routing it look´s like it is disabled on GAIA:

[Expert@FW1-1:0]# sysctl net.ipv4.conf.all.accept_source_route
net.ipv4.conf.all.accept_source_route = 0

 

per sk62082 "Check Point Security Gateway will drop any TCP/UDP packet with IP options." which includes Source Routing

per sk39374 IPv6 extension headers (including Routing Headers) are disabled per default

View solution in original post

(1)
2 Replies
Nick_Doropoulos
Advisor

Hello,

Good question!

As the Advanced Routing guides can demonstrate, Check Point uses traditional routing based on the packets' destination and there is no mention of source routing or path addressing as it is also known.

The closest feature to source routing on Check Point is policy-based routing since it would allow you to create routing tables based on the source IP address and subnet mask. For more information please see sk100500.

Provided you are not using policy-based routing already, I would say there is nothing to worry about.

I hope this helps.

0 Kudos
Matthias_Haas
Advisor

according to disable-source-routing it look´s like it is disabled on GAIA:

[Expert@FW1-1:0]# sysctl net.ipv4.conf.all.accept_source_route
net.ipv4.conf.all.accept_source_route = 0

 

per sk62082 "Check Point Security Gateway will drop any TCP/UDP packet with IP options." which includes Source Routing

per sk39374 IPv6 extension headers (including Routing Headers) are disabled per default

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events