GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: IP Spoofing posted 06/29/2008
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


I agree with Marvin and Muhammad Nasim, plus I need to add some other ideas
here:
You can stop IP spoofing by tons of ways like for example:
PBR (Black Hole), NBAR, VACL, VLAN Access-maps, Policing, CAR, RTBH, urpf,
CBAC, TCP Intercept, ACL ......, It all depends :)

There are tons of tools to protect Cisco Networks and usually I recommend my
CCIE candidates to understand how to play with each security feature to be
able to stop any kind of attack "whatever it is".
I believe it will be more important than memorizing each attack.


BEST REGARDS,

RAMY SISY, CCIE X 2 (SECURITY, ROUTING/SWITCHING)#17321, CCSI#30417
CCIE PROGRAM MANAGER

INSPIRED MASTER
                        INSPIRING CREATIVE THINKING ....

WWW.INSPIREDMASTER.COM
E. RAMYSISY@xxxxxxxxxxxxxxxxxx



-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
mgreenlee@xxxxxxxxxxxx
Sent: Saturday, June 28, 2008 10:46 PM
To: 'ciscosec sec'; ccielab@xxxxxxxxxxxxxx; security@xxxxxxxxxxxxxx
Subject: RE: IP Spoofing

Just like with anything else, it depends what you are asked to do.

R1----(intA)R2----R3

Configuring R2 to prevent spoofing on interface A could consist of:

A.  Blocking inbound any traffic with a source that belong to R3 (or the
right side of R2).
B.  Blocking outbound any traffic with a source of a network on R1 (or the
left side of R2).

c.  Configuring urpf on the interface. (same general results as A)


It could be A and B, B and C, or just A, B, or C individually.

Make sure that you understand your possibilities.  Just because one person
or vendor chooses a specific item and says "this is my solution for this
section", doesn't mean that is the correct answer if a similar question was
asked on the actual lab.

Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
Senior Technical Instructor - IPexpert, Inc.
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Mailto: mgreenlee@xxxxxxxxxxxx

Progress or excuses, which one are you making?
 


-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
ciscosec sec
Sent: Sunday, June 29, 2008 12:56 AM
To: ccielab@xxxxxxxxxxxxxx; security@xxxxxxxxxxxxxx
Subject: IP Spoofing

Hello,

for IP Spoofing is it enough to configure an acess-list with a deny
statement of our internal network address or do we need to configure
ip verify unicast reverse path as well.

Regards,


_______________________________________________________________________
Subscription information may be found at: 
http://www.groupstudy.com/list/CCIELab.html