Ingess and Egress Filtering to Protect Against IP Spoofing

Discussion in 'Cisco' started by sillz, Sep 19, 2007.

  1. sillz

    sillz Guest

    Hi there,

    I'm a realtive Cisco newbie, and I have a new edge router in a network
    with the following characteristics:

    Cisco 6509 -- Flex-WAN module, 4 ports
    2 ISP's
    2 Multilinked T1's
    BGP enabled
    3 Private Network Segments

    I want to enable Ingress and Egress Filtering to protect against IP
    Spoofing.

    Let's say these are the addresses for my multilinked T1's:

    ISP1 - 55.55.55.254 255.255.255.252
    ISP2 - 66.66.66.254 255.255.255.252

    My Network Block looks like this:

    77.77.77.0 255.255.255.0

    My private segments look like this:

    10.1.0.0 /16
    10.2.0.0 /16
    10.3.0.0 /16

    I was wondering if somone could give me assistance with how to
    construct my ACL's based on my network information and help me make
    sure the syntaxt is correct.


    Your help would be appreciated.

    Regards,

    Beth
    Systems Admin
     
    sillz, Sep 19, 2007
    #1
    1. Advertising

  2. sillz

    Trendkill Guest

    On Sep 19, 12:09 pm, sillz <> wrote:
    > Hi there,
    >
    > I'm a realtive Cisco newbie, and I have a new edge router in a network
    > with the following characteristics:
    >
    > Cisco 6509 -- Flex-WAN module, 4 ports
    > 2 ISP's
    > 2 Multilinked T1's
    > BGP enabled
    > 3 Private Network Segments
    >
    > I want to enable Ingress and Egress Filtering to protect against IP
    > Spoofing.
    >
    > Let's say these are the addresses for my multilinked T1's:
    >
    > ISP1 - 55.55.55.254 255.255.255.252
    > ISP2 - 66.66.66.254 255.255.255.252
    >
    > My Network Block looks like this:
    >
    > 77.77.77.0 255.255.255.0
    >
    > My private segments look like this:
    >
    > 10.1.0.0 /16
    > 10.2.0.0 /16
    > 10.3.0.0 /16
    >
    > I was wondering if somone could give me assistance with how to
    > construct my ACL's based on my network information and help me make
    > sure the syntaxt is correct.
    >
    > Your help would be appreciated.
    >
    > Regards,
    >
    > Beth
    > Systems Admin


    For IP spoofing, all you really need to do is put an 'in' filter for
    all private IP address ranges (192.168.0.0/16, 10.0.0.0/8,
    172.16.0.0/20, etc) as well as any external ranges that you do
    actually own. This prevents folks out on the internet from
    effectively spoofing their IP to make your router think that they are
    part of your internal network (although with a good firewall, this
    wouldn't be a problem). Just put it as an 'in' filter on the external
    interface (towards the internet).
     
    Trendkill, Sep 19, 2007
    #2
    1. Advertising

  3. sillz

    sillz Guest

    On Sep 19, 10:02 am, Trendkill <> wrote:
    > On Sep 19, 12:09 pm, sillz <> wrote:
    >
    >
    >
    >
    >
    > > Hi there,

    >
    > > I'm a realtive Cisco newbie, and I have a new edge router in a network
    > > with the following characteristics:

    >
    > > Cisco 6509 -- Flex-WAN module, 4 ports
    > > 2 ISP's
    > > 2 Multilinked T1's
    > > BGP enabled
    > > 3 Private Network Segments

    >
    > > I want to enable Ingress and Egress Filtering to protect against IP
    > > Spoofing.

    >
    > > Let's say these are the addresses for my multilinked T1's:

    >
    > > ISP1 - 55.55.55.254 255.255.255.252
    > > ISP2 - 66.66.66.254 255.255.255.252

    >
    > > My Network Block looks like this:

    >
    > > 77.77.77.0 255.255.255.0

    >
    > > My private segments look like this:

    >
    > > 10.1.0.0 /16
    > > 10.2.0.0 /16
    > > 10.3.0.0 /16

    >
    > > I was wondering if somone could give me assistance with how to
    > > construct my ACL's based on my network information and help me make
    > > sure the syntaxt is correct.

    >
    > > Your help would be appreciated.

    >
    > > Regards,

    >
    > > Beth
    > > Systems Admin

    >
    > For IP spoofing, all you really need to do is put an 'in' filter for
    > all private IP address ranges (192.168.0.0/16, 10.0.0.0/8,
    > 172.16.0.0/20, etc) as well as any external ranges that you do
    > actually own. This prevents folks out on the internet from
    > effectively spoofing their IP to make your router think that they are
    > part of your internal network (although with a good firewall, this
    > wouldn't be a problem). Just put it as an 'in' filter on the external
    > interface (towards the internet).- Hide quoted text -
    >
    > - Show quoted text -


    Thanks for your reply. Could you show me what this in filter would
    look like?

    I am required to do this in both directions because of an audit
    finding. I must do it for compliance.
     
    sillz, Sep 19, 2007
    #3
  4. sillz

    Trendkill Guest

    On Sep 19, 4:51 pm, sillz <> wrote:
    > On Sep 19, 10:02 am, Trendkill <> wrote:
    >
    >
    >
    > > On Sep 19, 12:09 pm, sillz <> wrote:

    >
    > > > Hi there,

    >
    > > > I'm a realtive Cisco newbie, and I have a new edge router in a network
    > > > with the following characteristics:

    >
    > > > Cisco 6509 -- Flex-WAN module, 4 ports
    > > > 2 ISP's
    > > > 2 Multilinked T1's
    > > > BGP enabled
    > > > 3 Private Network Segments

    >
    > > > I want to enable Ingress and Egress Filtering to protect against IP
    > > > Spoofing.

    >
    > > > Let's say these are the addresses for my multilinked T1's:

    >
    > > > ISP1 - 55.55.55.254 255.255.255.252
    > > > ISP2 - 66.66.66.254 255.255.255.252

    >
    > > > My Network Block looks like this:

    >
    > > > 77.77.77.0 255.255.255.0

    >
    > > > My private segments look like this:

    >
    > > > 10.1.0.0 /16
    > > > 10.2.0.0 /16
    > > > 10.3.0.0 /16

    >
    > > > I was wondering if somone could give me assistance with how to
    > > > construct my ACL's based on my network information and help me make
    > > > sure the syntaxt is correct.

    >
    > > > Your help would be appreciated.

    >
    > > > Regards,

    >
    > > > Beth
    > > > Systems Admin

    >
    > > For IP spoofing, all you really need to do is put an 'in' filter for
    > > all private IP address ranges (192.168.0.0/16, 10.0.0.0/8,
    > > 172.16.0.0/20, etc) as well as any external ranges that you do
    > > actually own. This prevents folks out on the internet from
    > > effectively spoofing their IP to make your router think that they are
    > > part of your internal network (although with a good firewall, this
    > > wouldn't be a problem). Just put it as an 'in' filter on the external
    > > interface (towards the internet).- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > Thanks for your reply. Could you show me what this in filter would
    > look like?
    >
    > I am required to do this in both directions because of an audit
    > finding. I must do it for compliance.


    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 224.0.0.0 7.255.255.255 any
    access-list 101 deny ip X.X.X.X X.X.X.X any
    access-list 101 permit ip any any

    Use the x.x.x.x one to add any public networks that you may own. If
    not, just delete it before pasting in.
     
    Trendkill, Sep 19, 2007
    #4
  5. sillz

    Trendkill Guest

    On Sep 19, 4:51 pm, sillz <> wrote:
    > On Sep 19, 10:02 am, Trendkill <> wrote:
    >
    >
    >
    > > On Sep 19, 12:09 pm, sillz <> wrote:

    >
    > > > Hi there,

    >
    > > > I'm a realtive Cisco newbie, and I have a new edge router in a network
    > > > with the following characteristics:

    >
    > > > Cisco 6509 -- Flex-WAN module, 4 ports
    > > > 2 ISP's
    > > > 2 Multilinked T1's
    > > > BGP enabled
    > > > 3 Private Network Segments

    >
    > > > I want to enable Ingress and Egress Filtering to protect against IP
    > > > Spoofing.

    >
    > > > Let's say these are the addresses for my multilinked T1's:

    >
    > > > ISP1 - 55.55.55.254 255.255.255.252
    > > > ISP2 - 66.66.66.254 255.255.255.252

    >
    > > > My Network Block looks like this:

    >
    > > > 77.77.77.0 255.255.255.0

    >
    > > > My private segments look like this:

    >
    > > > 10.1.0.0 /16
    > > > 10.2.0.0 /16
    > > > 10.3.0.0 /16

    >
    > > > I was wondering if somone could give me assistance with how to
    > > > construct my ACL's based on my network information and help me make
    > > > sure the syntaxt is correct.

    >
    > > > Your help would be appreciated.

    >
    > > > Regards,

    >
    > > > Beth
    > > > Systems Admin

    >
    > > For IP spoofing, all you really need to do is put an 'in' filter for
    > > all private IP address ranges (192.168.0.0/16, 10.0.0.0/8,
    > > 172.16.0.0/20, etc) as well as any external ranges that you do
    > > actually own. This prevents folks out on the internet from
    > > effectively spoofing their IP to make your router think that they are
    > > part of your internal network (although with a good firewall, this
    > > wouldn't be a problem). Just put it as an 'in' filter on the external
    > > interface (towards the internet).- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > Thanks for your reply. Could you show me what this in filter would
    > look like?
    >
    > I am required to do this in both directions because of an audit
    > finding. I must do it for compliance.


    May also want to add deny's for ranges for broadcast (255.0.0.0
    0.255.255.255), loopbacks (127.0.0.1 255.255.255.255), default spoof
    (0.0.0.0 255.255.255.255), and any other ones you can think of
    (224.0.0.0 7.255.255.255). Hope this helps.
     
    Trendkill, Sep 19, 2007
    #5
  6. sillz

    Trendkill Guest

    On Sep 19, 5:12 pm, Trendkill <> wrote:
    > On Sep 19, 4:51 pm, sillz <> wrote:
    >
    >
    >
    > > On Sep 19, 10:02 am, Trendkill <> wrote:

    >
    > > > On Sep 19, 12:09 pm, sillz <> wrote:

    >
    > > > > Hi there,

    >
    > > > > I'm a realtive Cisco newbie, and I have a new edge router in a network
    > > > > with the following characteristics:

    >
    > > > > Cisco 6509 -- Flex-WAN module, 4 ports
    > > > > 2 ISP's
    > > > > 2 Multilinked T1's
    > > > > BGP enabled
    > > > > 3 Private Network Segments

    >
    > > > > I want to enable Ingress and Egress Filtering to protect against IP
    > > > > Spoofing.

    >
    > > > > Let's say these are the addresses for my multilinked T1's:

    >
    > > > > ISP1 - 55.55.55.254 255.255.255.252
    > > > > ISP2 - 66.66.66.254 255.255.255.252

    >
    > > > > My Network Block looks like this:

    >
    > > > > 77.77.77.0 255.255.255.0

    >
    > > > > My private segments look like this:

    >
    > > > > 10.1.0.0 /16
    > > > > 10.2.0.0 /16
    > > > > 10.3.0.0 /16

    >
    > > > > I was wondering if somone could give me assistance with how to
    > > > > construct my ACL's based on my network information and help me make
    > > > > sure the syntaxt is correct.

    >
    > > > > Your help would be appreciated.

    >
    > > > > Regards,

    >
    > > > > Beth
    > > > > Systems Admin

    >
    > > > For IP spoofing, all you really need to do is put an 'in' filter for
    > > > all private IP address ranges (192.168.0.0/16, 10.0.0.0/8,
    > > > 172.16.0.0/20, etc) as well as any external ranges that you do
    > > > actually own. This prevents folks out on the internet from
    > > > effectively spoofing their IP to make your router think that they are
    > > > part of your internal network (although with a good firewall, this
    > > > wouldn't be a problem). Just put it as an 'in' filter on the external
    > > > interface (towards the internet).- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > Thanks for your reply. Could you show me what this in filter would
    > > look like?

    >
    > > I am required to do this in both directions because of an audit
    > > finding. I must do it for compliance.

    >
    > access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    > access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    > access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    > access-list 101 deny ip 224.0.0.0 7.255.255.255 any
    > access-list 101 deny ip X.X.X.X X.X.X.X any
    > access-list 101 permit ip any any
    >
    > Use the x.x.x.x one to add any public networks that you may own. If
    > not, just delete it before pasting in.


    Even better:

    http://ciscotips.wordpress.com/2006/06/04/anti-spoofing-rules-for-internet-routers/
     
    Trendkill, Sep 19, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. egress queues on 6500

    , Aug 6, 2004, in forum: Cisco
    Replies:
    0
    Views:
    720
  2. Eagle
    Replies:
    0
    Views:
    739
    Eagle
    Dec 3, 2004
  3. Kanagaraj Krishna

    Re: Cisco 3750 egress rate-limit

    Kanagaraj Krishna, Sep 27, 2005, in forum: Cisco
    Replies:
    2
    Views:
    11,155
    schavez
    Feb 14, 2008
  4. Joe Hanes

    ARP Spoofing, countermeasures against attack?

    Joe Hanes, Dec 2, 2004, in forum: Computer Security
    Replies:
    9
    Views:
    5,936
    winged
    Dec 9, 2004
  5. Blig Merk
    Replies:
    66
    Views:
    1,878
    StickThatInYourPipeAndSmokeIt
    Apr 27, 2008
Loading...

Share This Page