gb-users mailing list archive
<-- Chronological -->
Extended
<-- Thread -->

Blocking Spoofed Addresses

More messages from [ Edwin Covert]
To: <gb-users_at_gta_dot_com>
Subject: Blocking Spoofed Addresses
From: "Edwin Covert" <ecovert_at_icscorp_dot_com>
Date: Mon, 13 Mar 2000 12:35:52 -0500
Reply-to: <ecovert_at_icscorp_dot_com> 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,
Below is one of my remote access rules:
#Block Inbound Reserved IP addresses (172.16.4.0)
       Deny   "EXTERNAL" ALL  bcast log email
          from 172.16.4.0/255.255.255.0 137 138 139 
            to "ANY_IP" 137 138 139 

172.16.4.0 is our internal address scheme.  I received this email
alarm (plus many more) from the GB:

ALARM NO: 1
         DATE: Monday, Mar 13, 2000
         TIME: 11:05:48
    INTERFACE: EXT (xl0)
   ALARM TYPE: Possible spoof
    IP PACKET: UDP  [172.16.4.235/137]-->[172.16.4.255/137]  l=68
                    [172.16.4.235/137]-->[172.16.4.255/137]

DETAILED DESCRIPTION:
	Return interface for IP packet is different than arrival.

Ok, here then are my questions:
1.  Do I really need this RA rule?  It is an inbound connection but
those are disallowed by default.  However, when an IP Packet is
rejected, normally the 'DETAILED DESCRIPTION' says so.  Spoofed
packets do not say they are rejected.  Are they?
2.  If I do need the rule, GBAdmin has a problem with the rule (it's
icon turns red); it does not like the "Source Ports for Universal
Filters" I have placed on it.  Have I written the rule wrong? 

Thanks in advance...

Ed


______________________________
Edwin Covert, CISSP
Enterprise Security Consultant
Corporate Security Officer
Integrated Communication Solutions
http://www.icscorp.com
1-877-316-9659 (pager)

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
Comment: "Some things should be seen and some should not..."

iQA/AwUBOM0mWzIjXbhrEgfyEQL89QCaA0YhCuDvwAYbDZWVLyIDJyh11JwAn0jd
6BQVcGkbwxDnBhizHOZtYGcq
=2Moe
-----END PGP SIGNATURE-----

BEGIN:VCARD
VERSION:2.1
N:Covert, CISSP;Edwin;B
FN:Edwin B Covert, CISSP
ORG:Integrated Communication Solutions;Technical Services
TITLE:Enterprise Security Consultant
NOTE;ENCODING=QUOTED-PRINTABLE:PGP Fingerprint:=0D=0A1493 6FB2 6D97 2188 852D  D4B2 3223 5DB8 6B12 07F2
TEL;WORK;VOICE:(301) 695-8800 , x256
TEL;PAGER;VOICE:(877) 319-9659
TEL;WORK;FAX:(301) 695-8877
ADR;WORK;ENCODING=QUOTED-PRINTABLE:;Enterprise Security;5300 Westview Drive=0D=0ASuite 401;Frederick;Maryland;2=
1703;United States of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Enterprise Security=0D=0A5300 Westview Drive=0D=0ASuite 401=0D=0AFrederick, =
Maryland 21703=0D=0AUnited States of America
X-WAB-GENDER:2
URL:
URL:http://www.icscorp.com
ROLE:CISSP
EMAIL;PREF;INTERNET:ecovert_at_icscorp_dot_com
EMAIL;INTERNET:8777208398.3169569_at_pagenetmessage_dot_net
REV:20000229T125532Z
END:VCARD
[ Search for messages with a similar subject]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: How to download 3.0.3 upgrade ?, Michael W. Burden
Next by Date:  Re: Blocking Spoofed Addresses, Paul Emerson
Previous by Thread:  GNAT Box 3.0.3, Paul Emerson
Next by Thread:  Re: Blocking Spoofed Addresses, Paul Emerson
Indexes:  [Date] [Thread] [All Lists] [Home]
Global Technology Associates, Inc