Welcome to Infoblox NetMRI Community Sign in | Join | Help
in Search
Home Blogs Support Forums Downloads www.infoblox.com

Applied Infrastructure
> Click Here for RSS

Anti-spoofing filters

I've been doing more consulting work and am surprised by the number of organizations that don't use anti-spoofing filters within their networks.  An anti-spoofing filter is placed on the input side of a router interface of a user subnet and only allows packets through that are within the address range of that subnet.  The intent is to exclude packets that have invalid source addresses.  Just make sure that the filter doesn't exclude the multicast and broadcast addresses and routing protocol updates that are needed for normal network operations.

I would want to log all denies in an anti-spoofing filter and send them to the security group.  The report would allow them to identify that a system has been compromised or misconfigured.  While it is more work to configure the anti-spoofing filters, they provide an additional level of visibility into what is happening in the network.

I think of anti-spoofing filters as the inverse of Netflow.  Netflow tells you what traffic is being forwarded while an anti-spoofing filter tells you that certain traffic is not  being forwarded.  Modern security recommendations are "security in depth" and anti-spoofing filters are another valuable part of the security toolkit.

  -Terry

Published May 20 2009, 04:42 PM by tslattery
Filed under: , ,

Comments

 

tslattery said:

Marty Schulman read my post and asked me when a broadcast address would be acceptable as a source address.  Well, never.  While writing, I transitioned from thinking of source addresses to destination addresses, which I attribute to a brain cramp (i.e. poor writing).  However, while conversing with Marty about it, I realized that you want to make sure that some important addresses are valid as source addresses.  For example, make sure that you don't filter out the address of 0.0.0.0 in DHCP requests.

 -Terry

May 26, 2009 9:58 AM
 

Terry's Blog said:

Just as good personal hygiene is a prime contributor to personal health, good network hygiene is a major

July 19, 2009 10:12 PM

About tslattery

Terry Slattery, CCIE #1026, is a senior network engineer with decades of experience in the internetworking industry. Prior to joining Chesapeake NetCraftsmen as a full time consultant, Terry was the founder and CTO of Netcordia, and inventor of NetMRI, a suite of network management products. Terry started Netcordia as a consulting company in 2000 and transitioned to a network management product company in 2003. During the consulting days, he used his network design and implementation skills to lead a team in the design and implementation of a high availability network at a brokerage clearing house. Terry is the former President and founder of Chesapeake Computer Consultants, Inc., a networking and computer systems training and consulting company. He co-invented and patented the vLab(tm) internet-based remote lab system. He is co-author of the McGraw Hill text Advanced IP Routing in Cisco Networks. Terry led the team that developed the current Cisco IOS user interface under contract to Cisco Systems. Terry is experienced in the design and installation of large TCP/IP based networks and is a successful network protocol instructor. He is the second Cisco Certified Internetworking Expert (CCIE) #1026 and the first outside of Cisco. He enjoys membership on the Vanderbilt University Engineering School’s Industrial Advisory Board and the IEEE.

This Blog

Syndication
© 2010 Infoblox Inc. All rights reserved. All registered trademarks are property of their respective owners. | www.infoblox.com