Tony, Check PIX 6.1, "ip verify unicast reverse-path" is in there.
Liberty for All, Brian At 12:01 PM 10/13/2001 -0700, Tony Rall wrote: >Message: 5 >To: <[EMAIL PROTECTED]> >Subject: Re: PIX features >From: "Tony Rall" <[EMAIL PROTECTED]> >Date: Fri, 12 Oct 2001 21:26:08 -0700 > >On Friday, 2001/10/12 at 12:25 CET, "Bruno Fernandes" ><[EMAIL PROTECTED]> wrote: > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > -is Pix able to identify/block IP-spoofing? > > Yes > >The only way I know of for a Pix, or any type of box, to identify spoofing >is by filters that know which source addresses are permissible for >incoming traffic on an interface. With some Cisco IOS versions (not >available on Pix) you can use "ip verify unicast reverse-path" - a very >nice trick that uses the box's routing table to determine whether to allow >a source address. The address, when used as a destination, must be routed >out the same interface it arrived on; else it gets discarded. Boxes >without such a nice control have to have hardcoded access lists which >statically permit only the source addresses that the admin thinks should >be arriving on an interface. > >But that only works for interfaces which don't have a default route and >that don't use dynamic routing (which is not, unfortunately, an issue on >the Pix). If the Pix is connected to the Internet typically its outside >interface will be configured with a default route. There is no way it can >identify or block spoofed traffic arriving at such an interface (but it >can, if so configured with access lists, block address ranges that it >knows should never arrive on that interface, such as rfc1918 addresses and >its own inside address ranges). > >My answer to the original question is that Pix cannot identify spoofing >(but it can statically filter by address, which may be used to block >spoofing in some cases). > >Tony Rall > > >--__--__-- _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
