Chris, If the packet is built correctly it looks no different than any other packet. There is no way to tell it is spoof from the Internet side unless the packet is sent directly to the firewall with no router(s) in between. If all routers on the Internet would check for spoofed packets then the problem would not exist. There is no firewall that can detect such a packet (if built correctly).
The reason the GNAT Box system can detect spoofed packets on the protected or PSN networks is that it knows which IP address reside on those networks. If a packet shows up on the PSN or Protected network interfaces that isn't from a known network you'll get the spoof message and the packet will be dropped. Sincerely, Paul Emerson >Paul, > >What about the fact they are spoofing the IP Header on the return >packet? Shouldn't a good firewall be able to pick up on that and >toss it out? > >Chris Green > >>This discussion touches on some issues that were discussed recently >>with regard to AOL/AIM, etc. It is very difficult to block access if >>work arounds have been created like masquerading as some other >>service. The answer for blocking masquerading service is to invest >>in a system like "Packet Hound" which will inspect the content of >>EVERY packet and drop those not authorized. >> >>The problem with something like SafeWeb and TriangleBoy is a bit more >>difficult, but not un-solvable. My solutions are two: >> >>1. Put out a policy stating that circumventing the firewall using >>services like Safe Web and TriangleBoy are not acceptable. State >>what the penalty is for violating this policy (termination?). If you >>find someone violating the policy impose the penalty; no questions >>asked. >> >>2. You can also take the "allowed access approach" for potential >>troublemakers. That is only allow them access to those services and >>sites that are required for their work. So for example you only >>allow those users (or all users) access to https for those sites you >>allow. Depending upon your business the number of secure sites >>probably isn't large. Also to address those running SSL on >>non-standard ports simply block all other services not allowed. >> >>Paul >> > > >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- ---------------------------------------------------------------------------- Paul Emerson Tel: +1.407.380.0220 x1106 Global Technology Associates, Inc. Fax: +1.407.380.6080 3505 Lake Lynda Drive Mobile: +1.407.310.8563 Suite 109 Email: [EMAIL PROTECTED] Orlando, Florida 32817 USA Web: http://www.gta.com Mobile Email: [EMAIL PROTECTED] ----------------------------------------------------------------------------
