Anti Spoofing

Unanswered Question

I have an AIP-SSM-20 module that I am in the process of upgrading the system images and the signatures.

I was wondering if someone could guide me in the right direction on how to configure an anti-spoofing policy on the sensor.

If you have some sample configs that I could look at or even if you can explain to me how to do it through the GUI I would really appreciate it.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Marcin Latosiewicz Fri, 07/02/2010 - 16:37

If you mean Anti-IP spoofing -

then it's typically applied on routing devices (firewalls, routers, L3 switches) and not on the firewall.

Unicast RPF is your friend on ASA.

Christopher Dreier Sun, 07/04/2010 - 14:46

Carlos,

It depends on what type of attack you are attempting to protect against. RPF will help you when a host spoofs an address on an interface where it should not live. For instance, if your internal network is 192.168.1.0/24 and a packet arrives on the outside of your firewall with a source address of 192.168.1.2, the appliance can drop the packet due to the information in its routing table. However, SYN floods from the Internet are a different matter. There is a mechanism on the IPS that can help you with this. Please see the document below for the SYN Cookie functionality of IPS Signature 3050/0.

https://supportforums.cisco.com/docs/DOC-11874

Thank you,
Blayne Dreier
Cisco TAC IDS Team

**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

Actions

This Discussion