Prevent network spoofing: Policies and ACLs

Spoofing has been able to become a problem because TCP/IP was designed for a much more trusting world. The Internet is much like the neighborhoods and cities in which we live. There is probably an abundance of good neighbors, but most likely there are a few bad apples. Spoofing is an easy attack for someone who has less-than-honorable intentions. Historically, many hackers viewed DoS as an attack of last resort. Although most spoofing attacks don't allow an attacker to gain system access, they are effective at blocking access for legitimate users. More recently, the threat of DoS attacks has been used to extort money from organizations. In one such example from January 2006, a British site was blackmailed for $50,000, and when they didn't pay, the site was attacked.

If you're ready to put a stop to spoofing, you will want to start by taking a look at your firewall security policy. Most of you are probably like me and prefer the in-the-trenches, hands-on work. Policy does play an important role, however. The firewall policy should be the starting point for dictating what will be filtered and what type of connectivity will be allowed. This should be considered before ad hoc decisions are made that may be difficult to defend and could even eventually complicate firewall administration.

Basically, policy should drive the security initiative of the organization. Once policies have been developed that prohibit spoofing, implementation will be much easier. For discussions and some examples of firewall policy documents, see:

• Special Publication 800-41 Guidelines on Firewalls and Firewall Policy Recommendations: A NIST document describing firewall guidelines and policies.
• Configure firewall packet filtering: How to design anti-spoofing rules and put them at the top of each rule set.
• Firewall + Firewall Policy = Improved Security: An article by Etienne Greeff from Help Net Security.

Protection against spoofing requires that you perform some basic sanity checks. Sanity checks are just quick inspections of source and destination IP addresses as traffic ingresses and egresses your network at key choke points. Here is an example: Let's say you're Cornell University and you own the 128.253.0.0 network range. This means that you should never receive a packet from the Internet that has a source address from the 128.253.0.0 network. Any packets received from that network should be dropped; there's no reason even to respond with an ICMP message as it's obviously a forged address. Packets specified in RFC 1918, addresses allocated for private internets, should also be dropped.

Let's now consider traffic leaving the 128.253.0.0 network. These packets should have the source address examined to verify that they are truly from the 128.253.0.0 network. Any other source address found in a packet leaving the network is invalid and is most likely an attempt by one of the many viruses, worms, or DoS tools that are in the wild to spoof someone else's network address. Your border routers can be used to halt this traffic just by implementing a basic access control list (ACL), as demonstrated here using our sample address of 128.253.0.0:

Access-list Egress Permit 128.253.0.0 0.0.255.255 Any
Access-list Egress Deny IP Any Any Log

Some of you may be thinking, "Is this it?" Actually, it is; this simple ACL allows only properly addressed source packets to leave the network and logs all others. Implementing a simple ingress and egress ACL can make your network much more secure against network spoofing and is actually easy to implement. The best time to react to network spoofing is before it happens. I hope each of you takes a few minutes to consider these changes and help stop spoofing before it ever happens.

About the author:
Michael Gregg has more than 15 years of experience in IT. Michael is the President of Superior Solutions, Inc., a Houston-based training and consulting firm. He is an expert on networking, security and Internet technologies. He holds two associates degrees, a bachelor's degree and a master's degree. He presently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in Security across network boundaries with Secure Mobile Architecture USB storage devices: Two ways to stop the threat to network security Network security: Using unified threat management (UTM) Network security: Empower users without endangering IT Network analysis -- Enhancing security assessments VPN security: Hiding in plain sight, using network encryption Network Security Monitoring Networking data visualization not just for pointy-headed bosses Visual Security Analysis -- 'Applied Security Visualization,' Chapter 5 SIEM platform secures university's open network Network forensics appliance gets storage boost and 10 GbE support Tracking NetFlow over MPLS helps airline with compliance Securing the new network architecture: Security for distributed, dynamic networks When it comes to data loss prevention, networking should be part of the conversation What is data loss prevention? -- An introduction to DLP What are the best methods for handling rogue access points? Internet monitoring vendor adds throttling, filtering, to its appliance Network Monitoring Measure wireless network performance using testing tool iPerf Why wireless network cards show activity when no one uses the computer WildPackets' packet analysis tool helps newspaper fix network problems Networking data visualization not just for pointy-headed bosses What network security threat does a QM FSM error pose in IPsec VPNs? Juniper updates Network and Security Manager to manage full portfolio Network management software vendors readying IPv6 DNS management becoming critical to businesses but poorly understood SolarWinds adds enterprise scalability to its network monitoring tool Network forensics appliance gets storage boost and 10 GbE support Network Monitoring Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.