D-Link DFL-860-IPS-12 Product Manual - Page 238
IP Spoofing, 6.1.3. Access Rule Settings, Note: Enabling logging
View all D-Link DFL-860-IPS-12 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 238 highlights
6.1.3. Access Rule Settings Chapter 6. Security Mechanisms 6.1.2. IP Spoofing Traffic that pretends it comes from a trusted host can be sent by an attacker to try and get past a firewall's security mechanisms. Such an attack is commonly known as Spoofing. IP spoofing is one of the most common spoofing attacks. Trusted IP addresses are used to bypass filtering. The header of an IP packet indicating the source address of the packet is modified by the attacker to be a local host address. The firewall will believe the packet came from a trusted source. Although the packet source cannot be responded to correctly, there is the potential for unnecessary network congestion to be created and potentially a Denial of Service (DoS) condition could occur. Even if the firewall is able to detect a DoS condition, it is hard to trace or stop because of its nature. VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution then Access Rules can provide an anti-spoofing capability by providing an extra filter for source address verification. An Access Rule can verify that packets arriving at a given interface do not have a source address which is associated with a network of another interface. In other words: • Any incoming traffic with a source IP address belonging to a local trusted host is NOT allowed. • Any outgoing traffic with a source IP address belonging to an outside untrusted network is NOT allowed. The first point prevents an outsider from using a local host's address as its source address. The second point prevents any local host from launching the spoof. 6.1.3. Access Rule Settings The configuration of an access rule is similar to other types of rules. It contains Filtering Fields as well as the Action to take. If there is a match, the rule is triggered, and NetDefendOS will carry out the specified Action. Access Rule Filtering Fields The Access Rule filtering fields used to trigger a rule are: • Interface: The interface that the packet arrives on. • Network: The IP span that the sender address should belong to. Access Rule Actions The Access Rule actions that can be specified are: • Drop: Discard the packets that match the defined fields. • Accept: Accept the packets that match the defined fields for further inspection in the rule set. • Expect: If the sender address of the packet matches the Network specified by this rule, the receiving interface is compared to the specified interface. If the interface matches, the packet is accepted in the same way as an Accept action. If the interfaces do not match, the packet is dropped in the same way as a Drop action. Note: Enabling logging Logging can be enabled as required for these actions. Turning Off Default Access Rule Messages 238