This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vengatesh_SR
Contributor
‎2019-11-05 06:24 PM
Jump to solution

IP source routing on Checkpoint

Hi Guys,

Recently I had the chance to work on Hardening of firewall's.

And we have advised to the Disable source routing (Forbid IP source-route) on the firewall device's.

Few lines about source nat.
------------------------------------------------------------------
"Source routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network. As a packet travels through the network, each router will examine the destination IP address and choose the next hop to forward the packet to. In source routing, the "source" (i.e., the sender) makes some or all of these decisions.


Reason for disabling: Attackers can use source routing to probe the network by forcing packets into specific parts of the network. Using source routing, an attacker can collect information about a network's topology, or other information that could be useful in performing an attack. During an attack, an attacker could use source routing to direct packets to bypass existing security restrictions.
-----------------------------------------------------------------------

We have command in cisco devices to disable the ip source nat by giving the command "no ip source-route"

Could anyone recommended if we have any specific settings available ? As per my understanding this setting is not applicable to CheckPoint firewall. 

 

Regards,

Vengatesh SR

 

0 Kudos
2 Solutions

Accepted Solutions
Nick_Doropoulos
Advisor
‎2019-11-05 10:18 PM
Jump to solution

Hello,

Good question!

As the Advanced Routing guides can demonstrate, Check Point uses traditional routing based on the packets' destination and there is no mention of source routing or path addressing as it is also known.

The closest feature to source routing on Check Point is policy-based routing since it would allow you to create routing tables based on the source IP address and subnet mask. For more information please see sk100500.

Provided you are not using policy-based routing already, I would say there is nothing to worry about.

I hope this helps.

View solution in original post

0 Kudos
Matthias_Haas
Advisor
‎2019-11-06 12:32 AM
In response to Nick_Doropoulos
Jump to solution

according to disable-source-routing it look´s like it is disabled on GAIA:

[Expert@FW1-1:0]# sysctl net.ipv4.conf.all.accept_source_route
net.ipv4.conf.all.accept_source_route = 0

 

per sk62082 "Check Point Security Gateway will drop any TCP/UDP packet with IP options." which includes Source Routing

per sk39374 IPv6 extension headers (including Routing Headers) are disabled per default

View solution in original post

2 Replies
Nick_Doropoulos
Advisor
‎2019-11-05 10:18 PM
Jump to solution

Hello,

Good question!

As the Advanced Routing guides can demonstrate, Check Point uses traditional routing based on the packets' destination and there is no mention of source routing or path addressing as it is also known.

The closest feature to source routing on Check Point is policy-based routing since it would allow you to create routing tables based on the source IP address and subnet mask. For more information please see sk100500.

Provided you are not using policy-based routing already, I would say there is nothing to worry about.

I hope this helps.

0 Kudos
Matthias_Haas
Advisor
‎2019-11-06 12:32 AM
In response to Nick_Doropoulos
Jump to solution

according to disable-source-routing it look´s like it is disabled on GAIA:

[Expert@FW1-1:0]# sysctl net.ipv4.conf.all.accept_source_route
net.ipv4.conf.all.accept_source_route = 0

 

per sk62082 "Check Point Security Gateway will drop any TCP/UDP packet with IP options." which includes Source Routing

per sk39374 IPv6 extension headers (including Routing Headers) are disabled per default

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top