[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] Is there any reason not to use spoof tracking on each F W interface?

To: Bryan Morris <[email protected]>
Subject: RE: [FW1] Is there any reason not to use spoof tracking on each F W interface?
From: Chilton Tim <[email protected]>
Date: Tue, 23 Jan 2001 22:15:44 -0000
Cc: [email protected]
Sender: [email protected]

Bryan,

Sorry for the delay in responding, a couple of mails to catch up on and some
internal fires to put out :->

comments are inline.

Regards

Tim

-----Original Message-----
From: Bryan Morris [mailto:[email protected]]
Sent: 19 January 2001 15:13
To: [email protected]; [email protected]
Subject: RE: [FW1] Is there any reason not to use spoof tracking on each
F W interface?


Hi,

>If you are new to FW1 then you will probably find it easier to 
>start with no anti-spoofing and make things work then enable it
>later, this saves fighting all the "rule 0" events each time you
>change something.

>Why is that?

>What do you mean by 'this saves fighting all the "rule 0" events 
>each time you change something'.

Rule 0 is the set of "implied rules" that the firewall adds 
automatically based on other GUI settings you make such as
"accept fw1 control sessions" and anti spoofing, etc.

If you don't configure these exactly right you can end up chasing
your tail looking at the wrong thing, so what I tended to do was
to configure the firewall, make everything work, then break it 
again by adding other layers such as anti-spoofing - that way you
know the single entry you changed and its easier to fix.

If you use the opposite method - you have to know the anti-spoofing
rules you can set-up with this in place from day one but keep an eye
out for rule 0 issues when you change things.  

This is particularly important for NAT'ed interfaces such as DMZ's
where both addresses are valid - then you take the "others" for your
Internet feed and obvously you've already excluded the Live IP's so it
reports spoofing of your live range on the Internet segment :-<

You typically therefore end up with anti-spoofing configured something
like this

By default
	Configure each interface use "this net", Log (or Alert)

The DMZ has a group containing two or more objects
	A network object that defines the network 
      - effectively replacing "this net"

	Either another network object that defines the Live addresses,
	or a set of workstation objects that match the hosts you need
	on this network (a little more secure but harder to maintain)

The Internet interface
	Define a group say "Internet Live"
	Add a network object to this that defines your Live IP Ranges
	Configure the Interface anti-spoofing as "others +" and the
	"Internet Live" group


Things to watch for are :-

Multiple internal IP ranges for your internal networks such as routed
connections from other sites, define all of these network objects and
add them to a group, use this group as "specific" addresses on the
interface.

Additional services like RIP V2 updates if you allow routing table
updates to the firewall and back, in this case you'd need to add 
the RIP address to the list of valid internal addresses (ie another
group, network object and the RIP "workstation" object with and 
address of 224.0.0.9

VPN's - since the OS routing table shows to get to the remote site
via the Internet routers IP address and anti-spoofing kicks in 
either side of the routing decisions, it blocks a "spoofed" internal address
hitting the Internet address. I've queried this with CP but
without resolution. - This is one of the primary reasons to use an
upstream router and have "any" on the Internet facing interface, 
after all Internet + encryption domain only leaves the DMZ !!

If you do this - don't forget to harden the router config too
- there have been old postings on how to do this.


>>The only reason you may not do anti-spoofing on the Firewall is if another
device does it instead - eg the upstream router to your ISP.

>Good point.

>>Running it on the FW has the advantage of protecting all interfaces
>- so that you can cover threats that originate both internally and >
externally.

>Also, even if one has an upstream router, what could it hurt to run a 
>little extra anti-spoofing?

Very True - it's even better if the load is shared or it's multiple 
hurdles for a would-be hacker to get through - hopefully they will get bored
and go elsewhere!

>Bryan


>From: Chilton Tim <[email protected]>
>To: 'Bryan Morris' <[email protected]>
>CC: [email protected]
>Subject: RE: [FW1] Is there any reason not to use spoof tracking on each F 
>W interface?
>Date: Fri, 19 Jan 2001 14:03:33 -0000
>
>If you are new to FW1 then you will probably find it easier to start with 
>no
>anti-spoofing and make things work then enable it later, this saves 
>fighting
>all the "rule 0" events each time you change something.
>
>The only reason you may not do anti-spoofing on the Firewall is if another
>device does it instead - eg the upstream router to your ISP.
>
>Running it on the FW has the advantage of protecting all interfaces - so
>that you can cover threats that originate both internally and externally.
>
>Regards
>
>Tim
>
>
>-----Original Message-----
>From: Bryan Morris [mailto:[email protected]]
>Sent: 17 January 2001 23:15
>To: [email protected]
>Subject: [FW1] Is there any reason not to use spoof tracking on each FW
>interface?
>
>
>
>Hello,
>
>Is there any reason not to use spoof tracking on each FW interface?
>
>/bmjr
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com
>
>
>
>===========================================================================
=
>====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>===========================================================================
=
>====
>
>************************************************************************
>The information in this email is confidential and is intended solely
>for the addressee(s).
>Access to this email by anyone else is unauthorised. If you are not
>an intended recipient, you must not read, use or disseminate the
>information contained in the email.
>Any views expressed in this message are those of the individual sender,
>except where the sender specifically states them to be the views of
>The Capital Markets Company.
>
>http://www.capco.com
>***********************************************************************
>

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

************************************************************************
The information in this email is confidential and is intended solely
for the addressee(s).
Access to this email by anyone else is unauthorised. If you are not
an intended recipient, you must not read, use or disseminate the
information contained in the email.
Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of
The Capital Markets Company.

http://www.capco.com
***********************************************************************



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Prev by Date: [FW1] Issues with Windows 2000 server?
Next by Date: [FW1] NOKIA vs SUN on High Availability configuration
Prev by thread: RE: [FW1] Is there any reason not to use spoof tracking on each F W interface?
Next by thread: [FW1] Static Routing on Nokia Appliances
Index(es):
- Date
- Thread