Security Basics mailing list archives

RE: Border Router Question - Ingress Filtering

From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 13 Nov 2003 09:47:15 -0800

  These rules are only filtering on the destination -- and
traffic that isn't destined for your public address space
shouldn't be delivered by your provider.
  The spoofing deny rules filter on *source*.  You can't
establish a TCP handshake if you can't route packets back to
the session originator, but they can still mount a syn flood
(or various ICMP/UDP attacks).  And traffic shouldn't be
showing up on your doorstep with an origin address that claims
it's from inside your network....

David Gillett

-----Original Message-----
From: erisk [mailto:erisk () iinet net au]
Sent: November 11, 2003 23:12
To: security-basics () securityfocus com
Subject: Border Router Question - Ingress Filtering


Border routers ACL In rule

Acl in
permit tcp any host ***.***.***.**6
permit tcp any host ***.***.***.**5
permit tcp any host ***.***.***.**4
permit tcp any host ***.***.***.**3
deny ip any any log

The firewall then filters on a port level.

My question is if they are denying all IPs other that what is
specified in
the list is it necessary to then add the standard spoofing
deny rules (ie
drop localhost, mulicast, RFC1918 addresses etc)? This will
be taken care of
the deny ip any any rule would it not?


--------------------------------------------------------------
-------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web
Services security to
simplify the management and deployment of PGP and reduce
overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-bas

ics_031027
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------

Current thread:

Border Router Question - Ingress Filtering erisk (Nov 13)
- RE: Border Router Question - Ingress Filtering David Gillett (Nov 14)
- Re: Border Router Question - Ingress Filtering Anders Reed-Mohn (Nov 14)
- <Possible follow-ups>
- RE: Border Router Question - Ingress Filtering DeGennaro, Gregory (Nov 14)
- Re: Border Router Question - Ingress Filtering Mitchell Rowton (Nov 14)
- RE: Border Router Question - Ingress Filtering DeGennaro, Gregory (Nov 17)