|
Posted by on August 30, 2006, 8:31 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I need help understanding a problem with Spoof Detection on Firewall-1 4.0
that appears to be rendering it worthless.
On an internal network we have a Firewall-1 4.0 box that has 12 dmz
interfaces attached to it, each of them Class C networks that do not
overlap. I tried to put spoof detection into effect on the firewall as
follows:
1) Edited the Firewall-1 network object
2) Selected each Interfaces tab and hit Edit button
3) For every interface except external, I specified valid addresses as "This
Net"
4) For the external interface, I specified "Others"
As soon as I install that policy, I see packets that should be allowed
through the firewall get an accept on the incoming interface, and then get a
reject on rule 0 as soon as they are passed to the interface with the server
they are trying to reach. I researched this online and got this
explanation:
A "reject" on Rule 0 typically means that an outgoing packet
(one
that has been accepted by your security policy and routed by the
OS) is violating your anti-spoof rules because the packet is
being
routed out the wrong interface. If your Network Address
Translation is misconfigured, you will often have problems with
Anti-Spoofing.
This already concerns me a lot, because it implies that Firewall-1 has no
way to distinguish a packet that has already passed through its security
rules and NAT, from a packet that is incoming on an interface.
Can someone please give me an example of a valid NAT configuration that
would allow spoof detection to work correctly, without causing the packets
to be rejected on rule 0 when they get to the destination interface?
Further confusing me here, packets that are not having destination IPs
modified by NAT are not triggering spoof detection. I don't see how the
spoof detection can trigger when the packet gets to the dmz interface after
being changed by NAT, but not triggered when there is no NAT. In both
cases if the packet's source is a different network, then the Source IP
won't be the same as the Valid Addresses that correspond to the Firewall-1
"This Net" spoof detection setting.
--
Will
|
| Similar Threads | Posted | | Cisco ASA 5510 | September 26, 2006, 6:10 am |
| Cisco ASA 5510 vs. Juniter SSG 140 | October 18, 2006, 7:48 pm |
| Cisco ASA 5510 MSS Issue | February 18, 2008, 10:43 am |
| PIX DMZ Config help | November 5, 2007, 1:07 pm |
| Netscreen 5GT config | February 27, 2005, 2:56 am |
| Cisco Pix 506 config | March 31, 2005, 10:00 am |
| Kerio Config | June 29, 2006, 8:13 am |
| pix 506 config change help | March 21, 2007, 8:14 am |
| firewall config | April 15, 2008, 7:17 pm |
| sunscreen config hangs | November 16, 2004, 9:21 am |
|
XML site map