Chapter 11 Intrusion Detection And Prevention; Default Packet Handling; Blocking Spoofing Attacks - Watchguard Firebox X1000 User Manual

Chapter 11: Intrusion Detection and Prevention

Default Packet Handling

The WatchGuard Firebox System provides default packet
handling options to automatically block hosts that origi-
nate probes and attacks. Logging options help you identify
sites that exhibit suspicious behavior such as spoofing. You
can use the information gathered to manually and perma-
nently block an offending site. In addition, you can block
ports (by port number) to protect ports with known vul-
nerabilities from any incoming traffic. For more informa-
tion on log messages, see the following collection of FAQs:
https://support.watchguard.com/advancedfaqs/log_main.asp
The Firebox System examines and handles packets accord-
ing to default packet-handling options that you set. The
firewall examines the source of the packet and its intended
destination by IP address and port number. It also watches
for patterns in successive packets that indicate unautho-
rized attempts to access the network.
The default packet-handling configuration determines
whether and how the firewall handles incoming communi-
cations that appear to be attacks on a network. Packet han-
dling can:
• Reject potentially threatening packets
• Automatically block all communication from a source
site
• Add an event to the log
• Send notification of potential security threats

Blocking spoofing attacks

One method that attackers use to gain access to your net-
work involves creating an electronic "false identity." With
this method, called "IP spoofing," the attacker creates a
TCP/IP packet that uses someone else's IP address.
Because routers use a packet's destination address to for-
ward the packet toward its destination, the packet's source
address is not validated until the packet reaches its destina-
178 WatchGuard Firebox System