Make sure you do both ingress and egress filtering

© 2003, Cisco Systems, Inc. All rights reserved.

In the context of a firewall, the firewall device should provide protection against spoofing on its interfaces. The two most common guidelines for deploying anti-spoofing rules are:

On each perimeter interface, disallow traffic entering the firewall to carry source addresses, which are reachable on another perimeter

On each perimeter interface, filter out source addresses which should, by definition, not be present on that network, for example, the loopback address—, RFC 1918 networks on the Internet

Anti-spoofing is usually deployed either using automatic methods, such as Unicast Reverse Path Forwarding, or with manual rule configuration. Sometimes anti-spoofing is not implemented directly on the main access control device, but on another device in the packet path, such as the access router on the Internet connection.

Ingress filtering is deployed to prevent spoofing from untrusted users:

Was this article helpful?

0 0

Post a comment