For example, on a two-interface router connecting a
corporate network to the Internet, any datagram that arrives on the Internet interface whose source address
field claims it originates from a host on the corporate network should be discarded. Similarly, any datagram
exiting the corporate network whose source address field claims to be anything other than the allocated address
space of the corporate network should be discarded. Figure 7-4 depicts a basic guideline to configure
antispoofing access lists.
Figure 7-4. Preventing IP Spoofing Using ACL
[View full size image]
In Figure 7-4, ACL 101 is applied inbound and ACL 199 is applied outbound on the external interface. ACL 101
drops any inbound packets with forged (spoofing) source addresses as the internal allocated address space or
trusted hosts. ACL 199 ensures that none of the outgoing packets change their IP addresses to one not
belonging to the internal allocated address space. In addition to the antispoofing entries, Figure 7-4 shows ACL
101 with additional deny statements that drop datagrams with broadcast or multicast source addresses, and
datagrams with the reserved loopback address and the RFC1918 addresses as a source address.
Pages:
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369