Ingess and Egress Filtering to Protect Against IP Spoofing

Discussion in 'Cisco' started by sillz, Sep 19, 2007.

  1. sillz

    sillz Guest

    Hi there,

    I'm a realtive Cisco newbie, and I have a new edge router in a network
    with the following characteristics:

    Cisco 6509 -- Flex-WAN module, 4 ports
    2 ISP's
    2 Multilinked T1's
    BGP enabled
    3 Private Network Segments

    I want to enable Ingress and Egress Filtering to protect against IP
    Spoofing.

    Let's say these are the addresses for my multilinked T1's:

    ISP1 - 55.55.55.254 255.255.255.252
    ISP2 - 66.66.66.254 255.255.255.252

    My Network Block looks like this:

    77.77.77.0 255.255.255.0

    My private segments look like this:

    10.1.0.0 /16
    10.2.0.0 /16
    10.3.0.0 /16

    I was wondering if somone could give me assistance with how to
    construct my ACL's based on my network information and help me make
    sure the syntaxt is correct.


    Your help would be appreciated.

    Regards,

    Beth
    Systems Admin
     
    sillz, Sep 19, 2007
    #1
    1. Advertisements

  2. sillz

    Trendkill Guest

    For IP spoofing, all you really need to do is put an 'in' filter for
    all private IP address ranges (192.168.0.0/16, 10.0.0.0/8,
    172.16.0.0/20, etc) as well as any external ranges that you do
    actually own. This prevents folks out on the internet from
    effectively spoofing their IP to make your router think that they are
    part of your internal network (although with a good firewall, this
    wouldn't be a problem). Just put it as an 'in' filter on the external
    interface (towards the internet).
     
    Trendkill, Sep 19, 2007
    #2
    1. Advertisements

  3. sillz

    sillz Guest

    Thanks for your reply. Could you show me what this in filter would
    look like?

    I am required to do this in both directions because of an audit
    finding. I must do it for compliance.
     
    sillz, Sep 19, 2007
    #3
  4. sillz

    Trendkill Guest

    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 224.0.0.0 7.255.255.255 any
    access-list 101 deny ip X.X.X.X X.X.X.X any
    access-list 101 permit ip any any

    Use the x.x.x.x one to add any public networks that you may own. If
    not, just delete it before pasting in.
     
    Trendkill, Sep 19, 2007
    #4
  5. sillz

    Trendkill Guest

    May also want to add deny's for ranges for broadcast (255.0.0.0
    0.255.255.255), loopbacks (127.0.0.1 255.255.255.255), default spoof
    (0.0.0.0 255.255.255.255), and any other ones you can think of
    (224.0.0.0 7.255.255.255). Hope this helps.
     
    Trendkill, Sep 19, 2007
    #5
  6. sillz

    Trendkill Guest

    Even better:

    http://ciscotips.wordpress.com/2006/06/04/anti-spoofing-rules-for-internet-routers/
     
    Trendkill, Sep 19, 2007
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.