Modifying antispoofing

IP address spoofing is an attack where the source IP address in a packet is changed to gain unauthorized access or to cause a denial-of-service. Such attacks can be prevented with antispoofing rules.

Antispoofing is intended to prevent malicious attempts to use a legitimate internal IP address to gain access from lower-security networks to higher-security networks by determining which addresses are valid source addresses for the networks connected to each interface. If an interface receives a packet with a source address that is not a valid source address for the networks that are connected to that interface, the packet is considered to come from a spoofed IP address.

Antispoofing is used on Engines, IPS engines, Layer 2 Engines, Master Engines, and Virtual Engines. Anti-spoofing rules are created automatically based on the static routing configuration for interfaces that have IP addresses. As long as no dynamic routing is used, there is usually no need to change the anti-spoofing configuration in any way.
Note:
  • An antispoofing configuration is not automatically generated for routes learned through dynamic routing protocols.
  • Antispoofing related to dynamic routing is done by using the SMC GUI in the dynamic routing configuration in the Engine Editor. You must manually add hosts or networks to the Additional Networks to Automatically Add to Antispoofing table in the Engine Editor.

If you do modify the antispoofing configuration, manually changed entries are marked with a plus sign (+) for active entries or a minus sign (–) for disabled entries.

Limitations

Antispoofing cannot be configured for the following types of interfaces because they do not have IP addresses:

  • Capture Interfaces and Inline Interfaces on IPS engines or Layer 2 Engines
  • Master Engines that host Virtual IPS engines or Virtual Layer 2 Engines.
  • Layer 2 physical interfaces on Engines.
  • All interfaces on Virtual IPS engines and Virtual Layer 2 Engines.