This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tobias_Moritz
Advisor
‎2020-06-18 06:53 AM
Jump to solution

Security Flaw? in Dynamic Anti-Spoofing (R80.20 and above)

Hello community,

I think some of you did really appreciate the new Anti-Spoofing feature in R80.20 which finally allowed us to define Anti-Spoofing by routes, which makes admins live easier as only routing has to be configured correctly (and it allows some dynamic routing scenrios to work without scripting)

My team was also happy about that and tests showed that is was working. Well, at least we thought so.

While this feature is not blocking traffic it should allow, it allows traffic which it shouldn't.

Maybe we were expecting too much or did not understand the documentation correctly, so please tell me, what you think.

Please take a look at this very simple static lab setup (I guess it is also a pretty common one in small real life setups):

Anti-Spoofing.png

What do you think what happens, when you send a spoofed IP packet which has a source address of 10.0.5.1 from intranet to firewall?

We expected it would be dropped by Anti-Spoofing, because routing table on gateway says this address would be routed to DMZ A and not to Intranet. There are two reasons for this routing decision (one would be enough):

  • more specific route for this IP address on DMZ A instead of Intranet
  • directly connected instead of static route

There is only one scenario, where gateway would send traffic to this IP address over the intranet heading interface from the routing point of view: If gateways interface to DMZ A is down. But in our test case, all interfaces are up and working.

So routing clearly says, this IP address belongs to DMZ A and therefor IP packets which such a source address should never come from Intranet.

Unfortunately, this is not how Checkpoint implementation is working currently. This spoofed traffic is accepted.

It looks like Checkpoint implementation is just grabbing all routing table entries for the interfaces and not takes care which routes have higher priority if conflicts exists and how routing decision is really done.

So now the question to the community and Checkpoint staff: It this the expected behaivior?

Thank you for any ideas!

---

All tests were done with R80.30 JHFA T191 on Gaia 2.6.

18 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events