Prevent network spoofing: Policies and ACLs

Spoofing has been able to become a problem because TCP/IP was designed for a much more trusting world. The Internet is much like the neighborhoods and cities in which we live. There is probably an abundance of good neighbors, but most likely there are a few bad apples. Spoofing is an easy attack for someone who has less-than-honorable intentions. Historically, many hackers viewed DoS as an attack of last resort. Although most spoofing attacks don't allow an attacker to gain system access, they are effective at blocking access for legitimate users. More recently, the threat of DoS attacks has been used to extort money from organizations. In one such example from January 2006, a British site was blackmailed for $50,000, and when they didn't pay, the site was attacked.

If you're ready to put a stop to spoofing, you will want to start by taking a look at your firewall security policy. Most of you are probably like me and prefer the in-the-trenches, hands-on work. Policy does play an important role, however. The firewall policy should be the starting point for dictating what will be filtered and what type of connectivity will be allowed. This should be considered before ad hoc decisions are made that may be difficult to defend and could even eventually complicate firewall administration.

Basically, policy should drive the security initiative of the organization. Once policies have been developed that prohibit spoofing, implementation will be much easier. For discussions and some examples of firewall policy documents, see:

• Special Publication 800-41 Guidelines on Firewalls and Firewall Policy Recommendations: A NIST document describing firewall guidelines and policies.
• Configure firewall packet filtering: How to design anti-spoofing rules and put them at the top of each rule set.
• Firewall + Firewall Policy = Improved Security: An article by Etienne Greeff from Help Net Security.

Protection against spoofing requires that you perform some basic sanity checks. Sanity checks are just quick inspections of source and destination IP addresses as traffic ingresses and egresses your network at key choke points. Here is an example: Let's say you're Cornell University and you own the 128.253.0.0 network range. This means that you should never receive a packet from the Internet that has a source address from the 128.253.0.0 network. Any packets received from that network should be dropped; there's no reason even to respond with an ICMP message as it's obviously a forged address. Packets specified in RFC 1918, addresses allocated for private internets, should also be dropped.

Let's now consider traffic leaving the 128.253.0.0 network. These packets should have the source address examined to verify that they are truly from the 128.253.0.0 network. Any other source address found in a packet leaving the network is invalid and is most likely an attempt by one of the many viruses, worms, or DoS tools that are in the wild to spoof someone else's network address. Your border routers can be used to halt this traffic just by implementing a basic access control list (ACL), as demonstrated here using our sample address of 128.253.0.0:

Access-list Egress Permit 128.253.0.0 0.0.255.255 Any
Access-list Egress Deny IP Any Any Log

Some of you may be thinking, "Is this it?" Actually, it is; this simple ACL allows only properly addressed source packets to leave the network and logs all others. Implementing a simple ingress and egress ACL can make your network much more secure against network spoofing and is actually easy to implement. The best time to react to network spoofing is before it happens. I hope each of you takes a few minutes to consider these changes and help stop spoofing before it ever happens.

About the author:
Michael Gregg has more than 15 years of experience in IT. Michael is the President of Superior Solutions, Inc., a Houston-based training and consulting firm. He is an expert on networking, security and Internet technologies. He holds two associates degrees, a bachelor's degree and a master's degree. He presently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation Preventing hacker attacks with network behavior analysis IPS Rogue access points: Preventing, detecting and handling best practices The TPM chip: An unexploited resource for network security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in USB storage devices: Two ways to stop the threat to network security Network Security Monitoring and Analysis Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation How can I calculate perimeter firewall throughput? How do I find the application on my network that's dropping packets? Integrating NAC with network security tools Where can I find a sample security audit report? How can I run my own? The firewall remains the network traffic cop, but its role is changing Troubleshooting VLANs: How to monitor 802.1q tagged traffic Poor data-loss prevention practices almost cost Intel a billion How can I block my competitor's IP address range from my website? Network Monitoring University tackles large-scale 802.11n wireless network management Meru reinvents wireless LAN troubleshooting and management Green enterprise: Three networking investments that make a difference Network device management overload: Engineers managing too many boxes What preventative maintenance procedures for network devices exist? WLAN QoS and SLA monitoring with 7/24 Wireless Quality Assurance costs How important are network infrastructure maps for engineers or admins? Understand Windows tracert output to troubleshoot network connectivity Network management and monitoring market remains crowded, fragmented When do applications suffer from poor network performance? Network Monitoring Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.