Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
51525354555657585960
Chapter 6 Troubleshooting Anti-Spoofing Introduction
Advanced Technical Reference Guide 4.1 June 2000 49
Troubleshooting Anti-Spoofing
Introduction
Spoofing is a technique where an intruder attempts to gain unauthorized access by altering a packet’s IP address
to make it appear as though the packet originated in a part of the network with higher access privileges. VPN-
1/FireWall-1 has a sophisticated anti-spoofing feature, which detects such packets by requiring that the interface
on which a packet enters a gateway corresponds to its IP address.
Common Problems Resolution
This section lists some common problems and solution from the Check Point Technical Services
SecureKnowledge knowledge base.
Meaning of log message: Rule 0 – spoof attempt
Rule Zero is the rule VPN-1/FireWall-1 adds before the rules in the Rule Base to implement Anti-spoofing,
dropping of packets with IP options, and some aspects of Authentication. Anti-spoofing is implemented before
any rules are applied, so anti-spoof track logging shows rule zero as the relevant rule.
Using virtual interfaces with anti-spoofing
VPN-1/Firewall-1 ignores the virtual interfaces feature of Solaris, so that filtering and anti-spoofing is done on
the physical interface.
If you want to use virtual interfaces with Anti-Spoofing, you need to define two network objects, one for each
subnet, and then create a network group that combines them. Then you can put the group in the physical
interface’s Anti-Spoofing entry, just as you would if there was another physical network connected to the
interface’s network via a gateway.
See the SecureKnowledge Solution (ID: 3.0.698687.2304823) in the Check Point Technical Services site
BOOTP and Anti- Spoofing
The bootp protocol consists of two simple UDP protocols: bootpc (from the client, which boots to the server
where the boot image is held) on port 67, and bootps (the other way around) on port 68. It is easy to define
those two as UDP services in the GUI. The services normally use the broadcast address (255.255.255.255) as
the client's address. Additional information is available in RFCs 951 and 1340.
In order to allow BOOTP, there are several things you should take care of:
1. Find out which address bootp clients use (normally it would be 255.255.255.255) and create a workstation
network object with this IP.
2. Use this object as the source for the port 67 service and destination for the port 68 service.
3. Since bootp uses the IP broadcast address 255.255.255.255, you need to add it to the anti-spoofing group
for the interface of the server, so that IP packets destined to it will be passed. Since the IP source address is
often 0.0.0.0, you might also need that address to be part of the anti-spoofing group for the interface of the
client (the device which attempts to boot). To do these things, you need to create a network object that will
contain this address, so you'll be able to add it to the anti-spoofing group.
See the SecureKnowledge Solution (ID: 36.0.259529.2476199) in the Check Point Technical Services site