Ip Spoofing; Access Rule Settings - D-Link NetDefendOS User Manual

incoming traffic is coming from a source that the routing tables indicate is accessible via the
interface on which the traffic arrived. If this reverse lookup fails then the connection is dropped
and a Default Access Rule log message will be generated.
When troubleshooting dropped connections, the administrator should look out for Default
Access Rule messages in the logs. The solution to the problem is to create a route for the interface
where the connection arrives so that the route's destination network is the same as or contains
the incoming connection's source IP.
Custom Access Rules are Optional
For most configurations the Default Access Rule is sufficient and the administrator does not need
to explicitly specify other rules. The default rule can, for instance, protect against IP spoofing,
which is described in the next section. If Access Rules are explicitly specified, then the Default
Access Rule is still applied if a new connection does not match any of the custom Access Rules.
The recommendation is to initially configure NetDefendOS without any custom Access Rules and
add them if there is a requirement for stricter checking on new connections.

6.1.2. IP Spoofing

Traffic that pretends it comes from a trusted host can be sent by an attacker to try and get past a
firewall's security mechanisms. Such an attack is commonly known as Spoofing.
IP spoofing is one of the most common spoofing attacks. Trusted IP addresses are used to bypass
filtering. The header of an IP packet indicating the source address of the packet is modified by
the attacker to be a local host address. The firewall will believe the packet came from a trusted
source. Although the packet source cannot be responded to correctly, there is the potential for
unnecessary network congestion to be created and potentially a Denial of Service (DoS) condition
could occur. Even if the firewall is able to detect a DoS condition, it is hard to trace or stop
because of its nature.
VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution
then Access Rules can provide an anti-spoofing capability by providing an extra filter for source
address verification. An Access Rule can verify that packets arriving at a given interface do not
have a source address which is associated with a network of another interface. In other words:
• Any incoming traffic with a source IP address belonging to a local trusted host is NOT
allowed.
• Any outgoing traffic with a source IP address belonging to an outside untrusted network is
NOT allowed.
The first point prevents an outsider from using a local host's address as its source address. The
second point prevents any local host from launching the spoof.
DOS attacks are discussed further in Section 6.7, "Denial-of-Service Attacks".

6.1.3. Access Rule Settings

The configuration of an access rule is similar to other types of rules. It contains Filtering Fields as
well as the Action to take. If there is a match, the rule is triggered, and NetDefendOS will carry
out the specified Action.
Access Rule Filtering Fields
The Access Rule filtering fields used to trigger a rule are:
422
Chapter 6: Security Mechanisms