A spoofed packet looks just like an unspoofed packet. Probably the only reliable way to tell the difference would be if you had multiple routes to the Internet, and the spoofed traffic was coming in the wrong route for its (proclaimed) IP Address.
Mike Burden Lynk Systems http://www.lynk.com (616)532-4985 [EMAIL PROTECTED] > -----Original Message----- > From: Chris Green [mailto:[EMAIL PROTECTED]] > Sent: Monday, August 27, 2001 3:28 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: Safe Web > > > --------------------- Attention ----------------------------- > A digest version of this list is now available. > Send email to [EMAIL PROTECTED], with the following message: > subscribe gb-users-digest your_email_address > Then unsubscribe from this list. > ------------------------------------------------------------- > GNAT Box User Forum http://www.gnatbox.com/cgi-bin/Ultimate.cgi > Send postings to: [EMAIL PROTECTED] > Access the list archives at: http://www.gnatbox.com/gb-users/ > ------------------------------------------------------------- > Paul, > > What about the fact they are spoofing the IP Header on the > return packet? > Shouldn't a good firewall be able to pick up on that and toss it out? > > Chris Green > > > >This discussion touches on some issues that were discussed recently > >with regard to AOL/AIM, etc. It is very difficult to block access if > >work arounds have been created like masquerading as some other > >service. The answer for blocking masquerading service is to invest > >in a system like "Packet Hound" which will inspect the content of > >EVERY packet and drop those not authorized. > > > >The problem with something like SafeWeb and TriangleBoy is a bit more > >difficult, but not un-solvable. My solutions are two: > > > >1. Put out a policy stating that circumventing the firewall using > >services like Safe Web and TriangleBoy are not acceptable. State > >what the penalty is for violating this policy (termination?). If you > >find someone violating the policy impose the penalty; no questions > >asked. > > > >2. You can also take the "allowed access approach" for potential > >troublemakers. That is only allow them access to those services and > >sites that are required for their work. So for example you only > >allow those users (or all users) access to https for those sites you > >allow. Depending upon your business the number of secure sites > >probably isn't large. Also to address those running SSL on > >non-standard ports simply block all other services not allowed. > > > >Paul > > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ---------------------------------------------- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe gb-users your_email_address in the body of the message
