On Thu, 2009-10-29 at 08:22 +0530, aditya mukadam wrote:
>
> Juniper FW Anti-spoofing mechnism's logic is to check the
> route for the incoming SRC-IP. If the packet with SRC-IP a.b.c.d
> enters firewall via interface 'X' and the route on the firewall for
> a.b.c.d is to interface 'Y, this packet will be dropped due to
> anti-spoofing because it is entering via an interface through which it
> is not expected to be sent back.
Have you verified this? Last time I tested their anti-spoofing it didn't
actually drop the packet. It would pass it through and then follow it up
with a host unreachable (to the target) in order to kill the session.
What was odd was the TTL would get decremented by 2. My best guess is it
was the single honed IPS code dealing with the spoofing and that was
introducing an extra routing hop.
I have not tested this for a few years, so they may have rewritten how
they handle it. Just curious if you have checked this or if you are
going by the docs.
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> Juniper FW Anti-spoofing mechnism's logic is to check the
> route for the incoming SRC-IP. If the packet with SRC-IP a.b.c.d
> enters firewall via interface 'X' and the route on the firewall for
> a.b.c.d is to interface 'Y, this packet will be dropped due to
> anti-spoofing because it is entering via an interface through which it
> is not expected to be sent back.
Have you verified this? Last time I tested their anti-spoofing it didn't
actually drop the packet. It would pass it through and then follow it up
with a host unreachable (to the target) in order to kill the session.
What was odd was the TTL would get decremented by 2. My best guess is it
was the single honed IPS code dealing with the spoofing and that was
introducing an extra routing hop.
I have not tested this for a few years, so they may have rewritten how
they handle it. Just curious if you have checked this or if you are
going by the docs.
HTH,
Chris
--
www.chrisbrenton.org
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]