User guide
Chapter 11: Protecting Your Network From Attacks
142 WatchGuard Firebox System
Logging options help you identify sites that exhibit suspicious behavior
such as spoofing. You can use the information gathered to manually and
permanently block an offending site. In addition, you can block ports (by
port number) to protect ports with known vulnerabilities from any
incoming traffic. For more information on log messages, see the following
collection of FAQs:
https://support.watchguard.com/advancedfaqs/log_main.asp
Default Packet Handling
The Firebox System examines and handles packets according to default
packet-handling options that you set. The firewall examines the source of
the packet and its intended destination by IP address and port number. It
also watches for patterns in successive packets that indicate unauthorized
attempts to access the network.
The default packet-handling configuration determines whether and how
the firewall handles incoming communications that appear to be attacks
on a network. Packet handling can:
• Reject potentially threatening packets
• Automatically block all communication from a source site
• Add an event to the log
• Send notification of potential security threats
Blocking spoofing attacks
One method that attackers use to gain access to your network involves
creating an electronic “false identity.” With this method, called “IP
spoofing,” the attacker creates a TCP/IP packet that uses someone else’s
IP address. Because routers use a packet’s destination address to forward
the packet toward its destination, the packet’s source address is not
validated until the packet reaches its destination. In conjunction with the
false identity, the attacker may route the packet so that it appears to
originate from a host that the targeted system trusts.
If the destination system performs session authentication based on a
connection’s IP address, the destination system may allow the packet with
the spoofed address through your firewall. The destination system “sees”