Friday, June 4, 2010

ACLs to mitigate spoofed IP addresses

ACL (COMMON) ENTREE FORMULA:
Permit/Deny [protocol] [sourceIP] [InvertedSourceMask] [DestinationIP] [InvertedDestMask] eq [optionalPort#]




Ok, here is a subject that I have been going back and forth on in a forum. First we will use some logic. You have private IP addresses that are non routable on the internet (10.0.0.0 192.168.0.0 172.16.0.0 127.0.0.0 etc.), so we conclude that these addresses should never being entering the outside of your firewall.

Just looking at that angle, we can then put some deny statements on our OUTSIDE inbound interface (traffic from the internet) to deny them before we permit traffic to our web servers.

deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit tcp any [webserverIP] eq 80



Remembering that ACLs are read sequentially from the top, we have just denied anyone who tried to spoof their source IP as a private address from accessing our web server, and allowed everyone else on the internet in on port 80. We can rely on the implicit deny at the end to block all traffic to any other ports on our webserver.


Now what if there is a user inside your network trying to spoof IP addresses. I would suggest having ACLs on each of your routers. If building A has a subnet of 172.16.45.0/24, then you can apply an ACL such as the following to make sure ONLY addresses from inside that subnet are allowed out. (You need to allow it to any, unless you want to specify every website your users are allowed to visit... unlikely.)

permit ip 172.16.45.0 0.0.0.255 any

Unless of course you have a proxy server, then you can really tighten your ACL with:

permit tcp 172.16.45.0 0.0.0.255 [webProxyIP] 0.0.0.0 eq 8080

this allows ONLY your subnet (no other spoofed IPs) to access ONLY your proxy server ONLY on port 8080.


Basically, you just need to draw out your network, and write ACLs to make sure only those addresses that you have provided (DHCP or STATIC) are allowed to be used as source addresses. Also remember that private IP addresses should NEVER be entering your network from your ISP.

No comments: