Preventing IP Spoofing

IP spoofing replaces the untrusted source IP address with a fake, trusted one, to hijack connections to your network. Attackers use IP spoofing to send malware and bots to your protected network, to execute DoS attacks, or to gain unauthorized access.

Anti-Spoofing detects if a packet with an IP address that is behind a certain interface, arrives from a different interface. For example, if a packet from an external network has an internal IP address, Anti-Spoofing blocks that packet.

Example:

The diagram shows a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with interfaces 2 and 3, and 4, and some example networks behind the interfaces.

For the Security Gateway, Anti-Spoofing makes sure that:

  • All incoming packets to 2 come from the Internet (1)
  • All incoming packets to 3 come from 192.168.33.0
  • All incoming packets to 4 come from 192.0.2.0 or 10.10.10.0

If an incoming packet to 2 has a source IP address in network 192.168.33.0, the packet is blocked, because the source address is spoofed.

When you configure Anti-Spoofing protection on a Check Point Security Gateway interface, the Anti-Spoofing is done based on the interface topology. The interface topology defines where the interface Leads To (for example, External (Internet) or Internal), and the Security Zone of interface.

Anti-Spoofing Options

  • Perform Anti-Spoofing based on interface topology - Select this option to enable spoofing protection on this external interface.

  • Anti-Spoofing action is set to - Select this option to define if packets will be rejected (the Prevent option) or whether the packets will be monitored (the Detect option). The Detect option is used for monitoring purposes and should be used in conjunction with one of the tracking options. It serves as a tool for learning the topology of a network without actually preventing packets from passing.

  • Don't check packets from - Select this option to make sure anti-spoofing does not take place for traffic from internal networks that reaches the external interface. Define a network object that represents those internal networks with valid addresses, and from the drop-down list, select that network object. The anti-spoofing enforcement mechanism disregards objects selected in the Don't check packets from drop-down menu.

  • Spoof Tracking - Select a tracking option.