Ingess and Egress Filtering to Protect Against IP Spoofing
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by sillz on September 19, 2007, 12:09 pm
Please log in for more thread options I'm a realtive Cisco newbie, and I have a new edge router in a network with the following characteristics: Cisco 6509 -- Flex-WAN module, 4 ports 2 ISP's 2 Multilinked T1's BGP enabled 3 Private Network Segments I want to enable Ingress and Egress Filtering to protect against IP Spoofing. Let's say these are the addresses for my multilinked T1's: ISP1 - 55.55.55.254 255.255.255.252 ISP2 - 66.66.66.254 255.255.255.252 My Network Block looks like this: 77.77.77.0 255.255.255.0 My private segments look like this: 10.1.0.0 /16 10.2.0.0 /16 10.3.0.0 /16 I was wondering if somone could give me assistance with how to construct my ACL's based on my network information and help me make sure the syntaxt is correct. Your help would be appreciated. Regards, Beth Systems Admin | |||||||||||||
|
Posted by Trendkill on September 19, 2007, 1:02 pm
Please log in for more thread options For IP spoofing, all you really need to do is put an 'in' filter for all private IP address ranges (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/20, etc) as well as any external ranges that you do actually own. This prevents folks out on the internet from effectively spoofing their IP to make your router think that they are part of your internal network (although with a good firewall, this wouldn't be a problem). Just put it as an 'in' filter on the external interface (towards the internet). | |||||||||||||
|
Posted by sillz on September 19, 2007, 4:51 pm
Please log in for more thread options >
> > > > > > Hi there,
>
> > I'm a realtive Cisco newbie, and I have a new edge router in a network
> > with the following characteristics: >
> > Cisco 6509 -- Flex-WAN module, 4 ports
> > 2 ISP's > > 2 Multilinked T1's > > BGP enabled > > 3 Private Network Segments >
> > I want to enable Ingress and Egress Filtering to protect against IP
> > Spoofing. >
> > Let's say these are the addresses for my multilinked T1's:
>
> > ISP1 - 55.55.55.254 255.255.255.252
> > ISP2 - 66.66.66.254 255.255.255.252 >
> > My Network Block looks like this:
>
> > 77.77.77.0 255.255.255.0
>
> > My private segments look like this:
>
> > 10.1.0.0 /16
> > 10.2.0.0 /16 > > 10.3.0.0 /16 >
> > I was wondering if somone could give me assistance with how to
> > construct my ACL's based on my network information and help me make > > sure the syntaxt is correct. >
> > Your help would be appreciated.
>
> > Regards,
>
> > Beth
> > Systems Admin >
> For IP spoofing, all you really need to do is put an 'in' filter for > all private IP address ranges (192.168.0.0/16, 10.0.0.0/8, > 172.16.0.0/20, etc) as well as any external ranges that you do > actually own. This prevents folks out on the internet from > effectively spoofing their IP to make your router think that they are > part of your internal network (although with a good firewall, this > wouldn't be a problem). Just put it as an 'in' filter on the external > interface (towards the internet).- Hide quoted text - > > - Show quoted text - Thanks for your reply. Could you show me what this in filter would look like? I am required to do this in both directions because of an audit finding. I must do it for compliance. | |||||||||||||
|
Posted by Trendkill on September 19, 2007, 5:12 pm
Please log in for more thread options >
> > > > > > Hi there,
>
> > > I'm a realtive Cisco newbie, and I have a new edge router in a network
> > > with the following characteristics: >
> > > Cisco 6509 -- Flex-WAN module, 4 ports
> > > 2 ISP's > > > 2 Multilinked T1's > > > BGP enabled > > > 3 Private Network Segments >
> > > I want to enable Ingress and Egress Filtering to protect against IP
> > > Spoofing. >
> > > Let's say these are the addresses for my multilinked T1's:
>
> > > ISP1 - 55.55.55.254 255.255.255.252
> > > ISP2 - 66.66.66.254 255.255.255.252 >
> > > My Network Block looks like this:
>
> > > 77.77.77.0 255.255.255.0
>
> > > My private segments look like this:
>
> > > 10.1.0.0 /16
> > > 10.2.0.0 /16 > > > 10.3.0.0 /16 >
> > > I was wondering if somone could give me assistance with how to
> > > construct my ACL's based on my network information and help me make > > > sure the syntaxt is correct. >
> > > Your help would be appreciated.
>
> > > Regards,
>
> > > Beth
> > > Systems Admin >
> > For IP spoofing, all you really need to do is put an 'in' filter for
> > all private IP address ranges (192.168.0.0/16, 10.0.0.0/8, > > 172.16.0.0/20, etc) as well as any external ranges that you do > > actually own. This prevents folks out on the internet from > > effectively spoofing their IP to make your router think that they are > > part of your internal network (although with a good firewall, this > > wouldn't be a problem). Just put it as an 'in' filter on the external > > interface (towards the internet).- Hide quoted text - >
> > - Show quoted text -
>
> Thanks for your reply. Could you show me what this in filter would > look like? > > I am required to do this in both directions because of an audit > finding. I must do it for compliance. access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 224.0.0.0 7.255.255.255 any access-list 101 deny ip X.X.X.X X.X.X.X any access-list 101 permit ip any any Use the x.x.x.x one to add any public networks that you may own. If not, just delete it before pasting in. | |||||||||||||
|
Posted by Trendkill on September 19, 2007, 5:25 pm
Please log in for more thread options >
> > > > > > > > Hi there,
>
> > > > I'm a realtive Cisco newbie, and I have a new edge router in a network
> > > > with the following characteristics: >
> > > > Cisco 6509 -- Flex-WAN module, 4 ports
> > > > 2 ISP's > > > > 2 Multilinked T1's > > > > BGP enabled > > > > 3 Private Network Segments >
> > > > I want to enable Ingress and Egress Filtering to protect against IP
> > > > Spoofing. >
> > > > Let's say these are the addresses for my multilinked T1's:
>
> > > > ISP1 - 55.55.55.254 255.255.255.252
> > > > ISP2 - 66.66.66.254 255.255.255.252 >
> > > > My Network Block looks like this:
>
> > > > 77.77.77.0 255.255.255.0
>
> > > > My private segments look like this:
>
> > > > 10.1.0.0 /16
> > > > 10.2.0.0 /16 > > > > 10.3.0.0 /16 >
> > > > I was wondering if somone could give me assistance with how to
> > > > construct my ACL's based on my network information and help me make > > > > sure the syntaxt is correct. >
> > > > Your help would be appreciated.
>
> > > > Regards,
>
> > > > Beth
> > > > Systems Admin >
> > > For IP spoofing, all you really need to do is put an 'in' filter for
> > > all private IP address ranges (192.168.0.0/16, 10.0.0.0/8, > > > 172.16.0.0/20, etc) as well as any external ranges that you do > > > actually own. This prevents folks out on the internet from > > > effectively spoofing their IP to make your router think that they are > > > part of your internal network (although with a good firewall, this > > > wouldn't be a problem). Just put it as an 'in' filter on the external > > > interface (towards the internet).- Hide quoted text - >
> > > - Show quoted text -
>
> > Thanks for your reply. Could you show me what this in filter would
> > look like? >
> > I am required to do this in both directions because of an audit
> > finding. I must do it for compliance. >
> access-list 101 deny ip 10.0.0.0 0.255.255.255 any > access-list 101 deny ip 172.16.0.0 0.15.255.255 any > access-list 101 deny ip 192.168.0.0 0.0.255.255 any > access-list 101 deny ip 224.0.0.0 7.255.255.255 any > access-list 101 deny ip X.X.X.X X.X.X.X any > access-list 101 permit ip any any > > Use the x.x.x.x one to add any public networks that you may own. If > not, just delete it before pasting in. Even better: http://ciscotips.wordpress.com/2006/06/04/anti-spoofing-rules-for-internet-routers/ | |||||||||||||
| Similar Threads | Posted |
| Ingess and Egress Filtering to Protect Against IP Spoofing | September 19, 2007, 12:09 pm |
| QoS - Why use egress queing | February 9, 2007, 4:04 pm |
| Re: Cisco 3750 egress rate-limit | September 26, 2005, 10:05 pm |
| firewall settings to protect mail server | October 2, 2008, 6:51 pm |
| BRI Spoofing | September 19, 2005, 8:11 am |
| IDS & Spoofing -- PIX 6.3(4) | December 8, 2005, 12:51 pm |
| MAC flooding or spoofing or else? | November 2, 2005, 10:50 am |
| Cisco NAC & IP spoofing | August 13, 2006, 6:02 pm |
| cisco routers and ip spoofing | March 6, 2007, 10:52 am |
| Anti Spoofing FWSM V3.2(4) | August 11, 2008, 10:51 am |
| Spoofing on ADSL dialer interfaces | February 2, 2006, 7:56 am |
| Solution to ARP spoofing on 3560 and 2960 switches please | April 8, 2008, 10:54 am |
| Is it possible to configure a Cisco 837 (SOHO 97) as an "half bridge" (or ZIPB or "dhcp spoofing") ADSL modem? | May 21, 2006, 4:12 pm |
| BGP filtering PA and PI blocks | June 12, 2006, 9:45 am |
| URL Filtering WITHOUT Websense?? | January 3, 2007, 10:31 am |
>
> I'm a realtive Cisco newbie, and I have a new edge router in a network
> with the following characteristics:
>
> Cisco 6509 -- Flex-WAN module, 4 ports
> 2 ISP's
> 2 Multilinked T1's
> BGP enabled
> 3 Private Network Segments
>
> I want to enable Ingress and Egress Filtering to protect against IP
> Spoofing.
>
> Let's say these are the addresses for my multilinked T1's:
>
> ISP1 - 55.55.55.254 255.255.255.252
> ISP2 - 66.66.66.254 255.255.255.252
>
> My Network Block looks like this:
>
> 77.77.77.0 255.255.255.0
>
> My private segments look like this:
>
> 10.1.0.0 /16
> 10.2.0.0 /16
> 10.3.0.0 /16
>
> I was wondering if somone could give me assistance with how to
> construct my ACL's based on my network information and help me make
> sure the syntaxt is correct.
>
> Your help would be appreciated.
>
> Regards,
>
> Beth
> Systems Admin