{"id":958,"date":"2017-03-29T20:35:00","date_gmt":"2017-03-29T20:35:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=958"},"modified":"2024-11-17T20:39:52","modified_gmt":"2024-11-17T20:39:52","slug":"958","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/958\/","title":{"rendered":"Anti-Spoofing on a\u00a0Checkpoint\u00a0Firewall"},"content":{"rendered":"<p>IP Spoofing is a technique of generating IP packets with a source address that belongs to someone else.<br \/>\nSpoofing creates a danger when hosts on the LAN permit access to their resources and services to trusted hosts by checking the source IP of the packets. Using spoofing, an intruder can fake the source address of their\u00a0packets and make them look like they originated on the trusted hosts.<\/p>\n<p>Anti-spoofing protection is when we create a firewall rule assigned to the external interface of the firewall that examines source addresses of all packets crossing that interface coming from the outside. If the address belongs to the internal network or the firewall itself, the packet is dropped.<\/p>\n<p>Example:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-959 aligncenter\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/topology.jpeg\" alt=\"Topology\" width=\"788\" height=\"474\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>\u201cNetwork A\u201d\u00a0uses\u00a0\u201c10.0.0.0\/8\u201d\u00a0on the internal interface and we have a remote\u00a0\u201cNetwork D\u201d\u00a0that uses\u00a0\u201c10.4.4.0\/24\u201d\u00a0over the VPN tunnel. If any devices within\u00a0\u201cNetwork A\u201d\u00a0sends packets to\u00a0\u201cNetwork D\u201d\u00a0the forward traffic will flow fine given the correct routing is in place however the firewall will look at the reply traffic and notice that the source of that packet is from the \u201c10\u201d subnet and instantly drop it.<\/p>\n<p>For\u00a0\u201cFirewall A\u201d\u00a0the device makes sure that<\/p>\n<ul>\n<li>All incoming packets to the\u00a0\u201cOutside Interface\u201d\u00a0come from\u00a0\u201cNetwork B\u201d,\u00a0\u201cNetwork C\u201d\u00a0or\u00a0\u201cInternet\u201d<\/li>\n<li>All Incoming packets to the\u00a0\u201cInside Interface\u201d\u00a0come from\u00a0\u201cNetwork A\u201d<\/li>\n<\/ul>\n<p>For\u00a0\u201cFirewall B\u201d\u00a0the device makes sure that<\/p>\n<ul>\n<li>All incoming packets from the\u00a0\u201cOutside Interface\u201d\u00a0come from\u00a0\u201cInternet\u201d<\/li>\n<li>All incoming packets from the\u00a0\u201cInside Interface\u201d\u00a0come from\u00a0\u201cNetwork A\u201d,\u00a0\u201cNetwork B\u201d\u00a0or\u00a0\u201cNetwork C\u201d<\/li>\n<\/ul>\n<p>The firewall already knows that the 10.0.0.0\/8 belongs on the internal interface behind\u00a0\u201cFirewall A\u201d\u00a0so it suspects the IP address is being spoofed. This behaviour is correct.<\/p>\n<p>Generally you want to ensure that anti-spoofing is used to prevent spoofed IP addresses from being used by an attacker to take advantage of your network.<\/p>\n<p>However in some situations you may need to a allow traffic through without being inspected, commonly this may be in a site-to-site VPN scenario where the 3<sup>rd<\/sup>\u00a0party also uses the same private addressing schema on their encryption domain.<\/p>\n<p>As long you are sure the traffic is coming from a verified source you can create exceptions to exempt the spoofing for that network.<\/p>\n<p>In the steps below we will setup Anti-spoofing on a Checkpoint firewall on the both internal and external interfaces and then create an exception to allow the traffic from the remote network that is using a \u201c10\u201d network on the outside.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Configure Anti-Spoofing on the internal Interface<\/strong><\/p>\n<p><strong>1.<\/strong>\u00a0In SmartDashboard, from the\u201cNetwork Objects\u201d\u00a0tree, double-click the Security Gateway.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"214\" height=\"259\" class=\"wp-image-960\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/1-3.jpeg\" alt=\"1\" \/><\/p>\n<p><strong>2.<\/strong>\u00a0From the navigation tree, click\u00a0\u201cTopology\u201d. Select the\u00a0\u201cInternal\u201d\u00a0interface and click\u00a0\u201cEdit\u201d.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"773\" height=\"286\" class=\"wp-image-961\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/2-3.jpeg\" alt=\"2\" \/><\/p>\n<p><strong>3.<\/strong>\u00a0Click the\u00a0\u201cTopology\u201d<strong>\u00a0<\/strong>tab, select\u00a0\u201cInternal (leads to local Network)\u201d, and Select the option for\u00a0\u201cNetwork defined by the interface IP and Net Mask\u201d<strong>\u00a0<\/strong><\/p>\n<p>Tick\u00a0\u201cPerform Anti-Spoofing based on interface topology\u201d\u00a0and Select\u00a0\u201cAnti-Spoofing action is set to\u201d\u00a0as either \u2013<\/p>\n<p><strong>Prevent\u00a0<\/strong>\u2013 Drops spoofed packets.<\/p>\n<p><strong>Detect\u00a0<\/strong>\u2013 Allows spoofed packets.<\/p>\n<p>It is recommended using the\u00a0\u201cDetect\u201d<strong>\u00a0<\/strong>option to monitor traffic. And click\u00a0\u201cOK\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"450\" height=\"556\" class=\"wp-image-962\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/3-3.jpeg\" alt=\"3\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Configure Anti-Spoofing on the External Interface and exempt a specific network from anti-spoofing inspection.<\/strong><\/p>\n<p><strong>1.<\/strong>\u00a0From the navigation tree, click\u00a0\u201cTopology\u201d. Select the\u00a0\u201cExternal\u201d\u00a0interface and click\u00a0\u201cEdit\u201d.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"773\" height=\"276\" class=\"wp-image-963\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/3-5.jpeg\" alt=\"3.5\" \/><\/p>\n<p>The\u00a0\u201cInterface Properties\u201d\u00a0window opens.<\/p>\n<p><strong>2.<\/strong>\u00a0Click the\u00a0\u201cTopology\u201d<strong>\u00a0<\/strong>tab, select\u00a0\u201cExternal (leads out to the Internet)\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"450\" height=\"283\" class=\"wp-image-964\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/4-3.jpeg\" alt=\"4\" \/><\/p>\n<p><strong>3.<\/strong>\u00a0Tick\u00a0\u201cPerform Anti-Spoofing based on interface topology\u201d\u00a0and Select\u00a0\u201cAnti-Spoofing action is set to\u201d\u00a0as<\/p>\n<p><strong>Prevent\u00a0<\/strong>\u2013 Drops spoofed packets.<\/p>\n<p>Tick\u00a0\u201cDon\u2019t check packets from\u201d.<\/p>\n<p>Click the field, and select the Group or Network object that you are not including in Anti-spoofing. In our case this will be\u00a0\u201cNetwork D\u201d<\/p>\n<p>From\u00a0\u201cSpoof Tracking\u201d, select\u00a0\u201cLog\u201d\u00a0and click\u00a0\u201cOK\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"450\" height=\"272\" class=\"wp-image-965\" src=\"https:\/\/jay-miah.co.uk\/wp-content\/uploads\/2024\/11\/5-3.jpeg\" alt=\"5\" \/><\/p>\n<p><strong>4.<\/strong>\u00a0Click\u00a0\u201cOK\u201d<strong>\u00a0<\/strong>and install the policy.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>IP Spoofing is a technique of generating IP packets with a source address that belongs to someone else. Spoofing creates a danger when hosts on<\/p>\n","protected":false},"author":1,"featured_media":966,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,6],"tags":[99,39,100],"class_list":["post-958","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-checkpoint-firewall","category-security","tag-anti-spoofing","tag-checkpoint","tag-firewall"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=958"}],"version-history":[{"count":4,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/958\/revisions"}],"predecessor-version":[{"id":970,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/958\/revisions\/970"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/966"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}