gb-users mailing list archive
<-- Chronological -->
Extended
<-- Thread -->

Re: Blocking Spoofed Addresses

More messages from [ Paul Emerson]
To: <ecovert_at_icscorp_dot_com>
Subject: Re: Blocking Spoofed Addresses
From: Paul Emerson <paul_at_gta_dot_com>
Date: Mon, 13 Mar 2000 13:04:40 -0500
Cc: gb-users_at_gta_dot_com
In-reply-to: <>
References: <>
Ed,

1. You can not specify port numbers without a protocol.

2. The implicit GNAT Box rule will block these packets so no filter is required. However the last system generate DEFAULT Remote Access rule is inplace to increment the Alarm count for rejected packets. So the trick is to put a filter(s) prior to the last Remote Access filter to block the packet, don't log it, don't send email and don't increment the Alarm count.

2. If you want to block this NetBIOS stuff and don't log it or increment the alarm count I suggest:

1. Deny ANY TCP bcast nolog
   from: 172.16.4.0/255.255.255.0
     to: ANY_IP 139

2. Deny ANY UDP bcase nolog
   from: 172.16.4.0/255.255.255.0
   to: ANY_IP 137 138


Paul

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,
Below is one of my remote access rules:
#Block Inbound Reserved IP addresses (172.16.4.0)
       Deny   "EXTERNAL" ALL  bcast log email
          from 172.16.4.0/255.255.255.0 137 138 139
            to "ANY_IP" 137 138 139

172.16.4.0 is our internal address scheme.  I received this email
alarm (plus many more) from the GB:

ALARM NO: 1
         DATE: Monday, Mar 13, 2000
         TIME: 11:05:48
    INTERFACE: EXT (xl0)
   ALARM TYPE: Possible spoof
    IP PACKET: UDP  [172.16.4.235/137]-->[172.16.4.255/137]  l=68
                    [172.16.4.235/137]-->[172.16.4.255/137]

DETAILED DESCRIPTION:
	Return interface for IP packet is different than arrival.

Ok, here then are my questions:
1.  Do I really need this RA rule?  It is an inbound connection but
those are disallowed by default.  However, when an IP Packet is
rejected, normally the 'DETAILED DESCRIPTION' says so.  Spoofed
packets do not say they are rejected.  Are they?
2.  If I do need the rule, GBAdmin has a problem with the rule (it's
icon turns red); it does not like the "Source Ports for Universal
Filters" I have placed on it.  Have I written the rule wrong?

Thanks in advance...

Ed


______________________________
Edwin Covert, CISSP
Enterprise Security Consultant
Corporate Security Officer
Integrated Communication Solutions
http://www.icscorp.com
1-877-316-9659 (pager)

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
Comment: "Some things should be seen and some should not..."

iQA/AwUBOM0mWzIjXbhrEgfyEQL89QCaA0YhCuDvwAYbDZWVLyIDJyh11JwAn0jd
6BQVcGkbwxDnBhizHOZtYGcq
=2Moe
-----END PGP SIGNATURE-----

Attachment converted: Felix:Edwin B Covert, CISSP.vcf 9 (TEXT/TBB6) (00052449) 

--
-------------------------------------------------------------------------
Paul Emerson                               Tel: +1.407.380.0220 x106
Global Technology Associates, Inc.         Fax: +1.407.380.6080
3505 Lake Lynda Drive                   Mobile: +1.407.310.8564
Suite 109                                Pager: +1.888.440.8232
Orlando, Florida 32817                   Email: paul_at_gta_dot_com
USA                                        Web: http://www.gta.com
                      Mobile Email: 407.310.8563_at_messaging.sprintpcs_dot_com
-------------------------------------------------------------------------



[ Search for messages with a similar subject]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Blocking Spoofed Addresses, Edwin Covert
Next by Date:  Looking for VPN Client software for remote access, Al Dykes
Previous by Thread:  Blocking Spoofed Addresses, Edwin Covert
Next by Thread:  Looking for VPN Client software for remote access, Al Dykes
Indexes:  [Date] [Thread] [All Lists] [Home]
Global Technology Associates, Inc