Interface - Topology Settings

What can I do here?

Use this window to configure the interface's topology.

Getting Here - Gateways & Servers> Select gateway > Edit > Network Management > Click the Expand button > Select an interface > Edit > Topology section > Modify

Understanding Topology

An interface can be defined as being External (leading to the Internet) or Internal (leading to the LAN).

• If the interface is Internal, specify the IP addresses behind the interfaces for anti-spoofing purposes. Specify the IP address by calculating them automatically or by defining them manually.
• If the interface is External, you can make anti-spoof checking does not take place for addresses from certain internal networks coming into the external interface.

What is IP Spoofing

IP address spoofing is where an intruder to the system tries to alter the IP address of the packet in order to make it appear that the packet originated from an area of the network where there is greater access privileges, thus hoping to gain access to confidential information on the internal network.

What is Anti-Spoofing

Anti-spoofing verifies that packets are coming from, and going to, the correct interfaces on the gateway. It confirms that packets claiming to be from an internal network are actually coming from the internal network interface. It also verifies that, once a packet is routed, it is going through the proper interface.

A packet coming from an external interface, even if it has a spoofed internal IP address, is blocked because the anti-spoofing protection detects that the packet arrived from the wrong interface.

In certain scenarios, it may be necessary to allow packets with source addresses that belong in an internal network to come in to the gateway via an external interface. This could be useful if an external application assigns internal IP addresses to external clients.

In this case, it is possible to specify that anti-spoofing checks are not made on packets from specified internal networks.

When anti-spoofing is implemented, an implicit anti-spoofing rule is added to the Rule Base.

Anti-Spoofing Options

• Perform Anti-Spoofing based on interface topology - Select this option to enable spoofing protection on this external interface.
• Anti-Spoofing action is set to - Select this option to define if packets will be rejected (the Prevent option) or whether the packets will be monitored (the Detect option). The Detect option is used for monitoring purposes and should be used in conjunction with one of the tracking options. It serves as a tool for learning the topology of a network without actually preventing packets from passing.
• Don't check packets from - Select this option to make sure anti-spoofing does not take place for traffic from internal networks that reaches the external interface. Define a network object that represents those internal networks with valid addresses, and from the drop-down list, select that network object. The anti-spoofing enforcement mechanism disregards objects selected in the Don't check packets from drop-down menu .
• Spoof Tracking - Select a tracking option.