Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Binoy
Explorer

How to prevent IP spoofing from internet?

Can someone help me to understand how checkpoint firewall prevents IP spoofing from the internet?

6 Replies
PhoneBoy
Admin
Admin

There's a couple things:

1. You define the topology on the gateway as to what's considered valid on the gateway for a given interface. In R80.20+ you can also let this be dynamically defined by the routing table.
2. We block the use of IP Options, which allows you to encode a route back to the IP.  

0 Kudos
Binoy
Explorer

Thank you very much for the reply.

1. I understand that we can enable Anti-spoofing on interfaces based on the topology. Whether I need to enable anti-spoofing on Internet facing interface? As the default route is pointing to internet, how will it detect IP spoofing?

2. Whether IPS blade is required to block the IP Options. Could you please help to understand how to do it.

 

PhoneBoy
Admin
Admin

For external interfaces, anything not defined on an internal interface would be considered invalid on the external interface.

IP Options checking is actually done in the firewall (not IPS) and done by default.
Modifying this behavior requires editing some .def files on the management and pushing policy.

0 Kudos
Cyber_Serge
Collaborator

you can also search " Anti-Spoofing" in the Security Gateway Administration Guide for your corresponding version to read up on more detail

the_rock
Legend
Legend

I would refer to below link, it explains it very well:

https://sc1.checkpoint.com/documents/R80.20/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R8...

 

@PhoneBoy gave you correct answer. Put it this way...there is an option on external interface to exempt any IP address, but you definitely do not want to turn off anti spoofing on external interface, thats a huge security issue. In some scenario, I seen people set it to "detect" on internal interface, but thats not as bad, since that would be used for outbound traffic anyway.

0 Kudos
Baasanjargal_Ts
Advisor
Advisor

If you activate IP spoofing on your interfaces, It will help to IP spoofing attacks.  If attacker send a packet with the spoofed address into your servers It can prevent. For example, your Eth1 is configured 192.168.1.0/24 subnetting, then It will drop the packet if firewall receive this subnet IP come from another interface...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events