Ip spoofing, Access rule settings – Amer Networks E5Web GUI User Manual

and a Default Access Rule log message will be generated.

When troubleshooting dropped connections, the administrator should look out for Default
Access Rule messages in the logs. The solution to the problem is to create a route for the interface
where the connection arrives so that the route's destination network is the same as or contains
the incoming connection's source IP.

Custom Access Rules are Optional

For most configurations the Default Access Rule is sufficient and the administrator does not need
to explicitly specify other rules. The default rule can, for instance, protect against IP spoofing,
which is described in the next section. If Access Rules are explicitly specified, then the Default
Access Rule is still applied if a new connection does not match any of the custom Access Rules.

The recommendation is to initially configure cOS Core without any custom Access Rules and add
them if there is a requirement for stricter checking on new connections.

6.1.2. IP Spoofing

Traffic that pretends it comes from a trusted host can be sent by an attacker to try and get past a
gateway's security mechanisms. Such an attack is commonly known as Spoofing.

IP spoofing is one of the most common spoofing attacks. Trusted IP addresses are used to bypass
filtering. The header of an IP packet indicating the source address of the packet is modified by
the attacker to be a local host address. The gateway will believe the packet came from a trusted
source. Although the packet source cannot be responded to correctly, there is the potential for
unnecessary network congestion to be created and potentially a Denial of Service (DoS) condition
could occur. Even if the gateway is able to detect a DoS condition, it is hard to trace or stop
because of its nature.

VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution
then Access Rules can provide an anti-spoofing capability by providing an extra filter for source
address verification. An Access Rule can verify that packets arriving at a given interface do not
have a source address which is associated with a network of another interface. In other words:

•

Any incoming traffic with a source IP address belonging to a local trusted host is NOT
allowed.

•

Any outgoing traffic with a source IP address belonging to an outside untrusted network is
NOT allowed.

The first point prevents an outsider from using a local host's address as its source address. The
second point prevents any local host from launching the spoof.

DOS attacks are discussed further in Section 6.6, “Denial-of-Service Attacks”.

6.1.3. Access Rule Settings

The configuration of an access rule is similar to other types of rules. It contains Filtering Fields as
well as the Action to take. If there is a match, the rule is triggered, and cOS Core will carry out the
specified Action.

Access Rule Filtering Fields

The Access Rule filtering fields used to trigger a rule are:

•

Interface: The interface that the packet arrives on.

Chapter 6: Security Mechanisms

381