GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: IP Spoofing posted 06/29/2008
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


But what if i am asked to protect  backbone users connected to my
network from spoofing. In that case should i just configure an
access-list denying the backbone network outbound cause in this case
there is no use configuring urpf...



On 6/29/08, Ramy Sisy <ramysisy@xxxxxxxxxxxxxxxxxx> wrote:
> I agree with Marvin and Muhammad Nasim, plus I need to add some other ideas
> here:
> You can stop IP spoofing by tons of ways like for example:
> PBR (Black Hole), NBAR, VACL, VLAN Access-maps, Policing, CAR, RTBH, urpf,
> CBAC, TCP Intercept, ACL ......, It all depends :)
>
> There are tons of tools to protect Cisco Networks and usually I recommend my
> CCIE candidates to understand how to play with each security feature to be
> able to stop any kind of attack "whatever it is".
> I believe it will be more important than memorizing each attack.
>
>
> BEST REGARDS,
>
> RAMY SISY, CCIE X 2 (SECURITY, ROUTING/SWITCHING)#17321, CCSI#30417
> CCIE PROGRAM MANAGER
>
> INSPIRED MASTER
>                         INSPIRING CREATIVE THINKING ....
>
> WWW.INSPIREDMASTER.COM
> E. RAMYSISY@xxxxxxxxxxxxxxxxxx
>
>
>
> -----Original Message-----
> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
> mgreenlee@xxxxxxxxxxxx
> Sent: Saturday, June 28, 2008 10:46 PM
> To: 'ciscosec sec'; ccielab@xxxxxxxxxxxxxx; security@xxxxxxxxxxxxxx
> Subject: RE: IP Spoofing
>
> Just like with anything else, it depends what you are asked to do.
>
> R1----(intA)R2----R3
>
> Configuring R2 to prevent spoofing on interface A could consist of:
>
> A.  Blocking inbound any traffic with a source that belong to R3 (or the
> right side of R2).
> B.  Blocking outbound any traffic with a source of a network on R1 (or the
> left side of R2).
>
> c.  Configuring urpf on the interface. (same general results as A)
>
>
> It could be A and B, B and C, or just A, B, or C individually.
>
> Make sure that you understand your possibilities.  Just because one person
> or vendor chooses a specific item and says "this is my solution for this
> section", doesn't mean that is the correct answer if a similar question was
> asked on the actual lab.
>
> Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
> Senior Technical Instructor - IPexpert, Inc.
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> Mailto: mgreenlee@xxxxxxxxxxxx
>
> Progress or excuses, which one are you making?
>
>
>
> -----Original Message-----
> From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
> ciscosec sec
> Sent: Sunday, June 29, 2008 12:56 AM
> To: ccielab@xxxxxxxxxxxxxx; security@xxxxxxxxxxxxxx
> Subject: IP Spoofing
>
> Hello,
>
> for IP Spoofing is it enough to configure an acess-list with a deny
> statement of our internal network address or do we need to configure
> ip verify unicast reverse path as well.
>
> Regards,
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html