cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
506
Views
0
Helpful
3
Replies

Question realted to anti-spoofing feature on PIX

ytwong
Level 1
Level 1

1) Is there any anti-spoofing feature on PIX firewall ?

2) If implemented, how are they implemented ? Is it implemented by default ? And how do you control the anti-spoofing rules ?

3) If implemented, are they implemented at layer 1 or layer 2 or only at layer 3 (ie RPF, CBAC and access-list) ?

1 Accepted Solution

Accepted Solutions

scoclayton
Level 7
Level 7

Hi, let me give these a shot:

1) The only anti-spoofing that the PIX provides short of configuring access-lists to block the RFC 1812 addresses, inside addresses, bogon networks, etc. is configuring unicast reverse-path. Take a look here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1053009

2) RPF is not implemented by default. You need to configure this if wanted.

3) Layer 3 only.

Hope this helps.

Scott

View solution in original post

3 Replies 3

scoclayton
Level 7
Level 7

Hi, let me give these a shot:

1) The only anti-spoofing that the PIX provides short of configuring access-lists to block the RFC 1812 addresses, inside addresses, bogon networks, etc. is configuring unicast reverse-path. Take a look here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1053009

2) RPF is not implemented by default. You need to configure this if wanted.

3) Layer 3 only.

Hope this helps.

Scott

I installed swatch for my PIX logs and started noticing about 20 of these type messages per day:

Dec 5 08:36:55 pix.xxx.xxx.xxxx.us Dec 05 2003 08:36:55: %PIX-2-106016: Deny IP spoof from (0.174.158.235) to 204.xx.xx.xx on interface outside

Does anybody have any idea what these are?

From PIX Syslog Messages..

+++++++++++

Error Message %PIX-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.

Explanation This message is logged when the firewall discards a packet with an invalid source address. Invalid source addresses are those addresses belonging to the following:

Loopback network (127.0.0.0)

Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)

The destination host (land.c)

Furthermore, if the sysopt connection enforcesubnet command is enabled, PIX Firewall discards packets with a source address belonging to the destination subnet from traversing the firewall and logs this message.

To further enhance spoof packet detection, use the conduit command to configure the firewall to discard packets with source addresses belonging to the internal network.

Recommended Action Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: