Figure 613 RFC 2827 Filtering

interlace Serial n ip access-group 101 in ip access-gr&up 102 out

access-list 101 pefmil 195 0 2.0 0.0.0.255 any aecess-l.st 101 deny ip any any 1

access-Nst 102 deny 192.02 0 Q.IJ.Q.2&5 any access-list 102 pcrnnil ip any any

interlace Serial n ip access-group i2Q in ip access-group f 30 cut i access-list 120 cieny ipi 52,0,3,0 0.0,0.355 any access-list 120 permit any any access-list 130 permit 102.0.2.0 0.0.0.255 any access-list 130 denyip any any

When implementing RFC 2827 filtering in your own network, it is important to push this filtering as close to the edge of your network as possible. Filtering at the firewall only might allow too many different spoofed addresses (thus complicating your own trace back). Figure 6-14 shows filtering options at different points in a network.

Figure 6-14. Distributed RFC 2827 Filtering

Figure 6-14. Distributed RFC 2827 Filtering

WARNING

Be careful about the potential performance implications of RFC 2827 filtering. Make sure the devices you are using support hardware ACLs if your performance requirements dictate that they must. Even with hardware ACLs, logging is generally handled by the CPU, which can adversely affect performance when you are under attack.

When using RFC 2827 filtering near your user systems and those systems that use DHCP, you must permit additional IP addresses in your filtering. Here are the details, straight from the source (RFC 2827):

If ingress filtering is used in an environment where DHCP or BOOTP is used, the network administrator would be well advised to ensure that packets with a source address of 0.0.0.0 and a destination of 255.255.255.255 are allowed to reach the relay agent in routers when appropriate.

If properly implemented, RFC 2827 can reduce certain types of IP spoofing attacks against your networl and can also prevent IP spoofing attacks (beyond the local range) from being launched against others from your site. If everyone worldwide implemented RFC 2827 filtering, the Internet would be a much safer place because hiding behind IP spoofing attacks would be nearly impossible for attackers.

100 SEO Tips

100 SEO Tips

100 SEO Tips EVERY SEO Enthusiast Should Know. This Report 100 SEO Tips will help you to Utilize These Tips to Dominate The Search Engine Today.

Get My Free Ebook


Post a comment