YuChakTinMichael‘sGIACGCFWProjectAssignment
Page 131
headerssothatitappearsthatthepacketsarecomingfromthathost.”
30
DetailedinformationonIPSpoofingisavailableat:
IPspoofingDemystified:http://www.fc.net/phrack/files/p48/p4814.html
TopreventincomingIPpacketslabeledwith“internal”IPaddressesfromenteringthe
networkviatheWANadaptor,configurefiltersontheWANadaptorS92witheach
DirectionsettoIN,ActiontoDrop,Source IPAddresstotheinternaladdresses,and
SourceMaskto255.255.255.255:
IN,DROP,Source:Core_Net(192.168.16.0),Mask:255.255.255.255
IN,DROP,Source:Public_Services(192.168.8.0),Mask:255.255.255.255
IN,DROP,Source: Internal_Clients(192.168.17.0),Mask:255.255.255.255
IN,DROP,Source: Internal_Servers(192.168.18.0),Mask:255.255.255.255
IN,DROP,Source: Internal_Admin(192.168.19.0),Mask:255.255.255.255
IN,DROP,Source: Internal_Dev(192.168.20.0),Mask:255.255.255.255
IN,DROP,Source:Critical_Resources(192.168.21.0),Mask:255.255.255.255
IN,DROP,Source:RAS_Net(192.168.22.0),Mask:255.255.255.255
Thefiltersareprocessedsequentially.Forourrules,sincetheaddressesdonot
overlap,therearenoconflictsbetweenthem,andtheorderwouldthereforebe
irrelevant.
BasicTesting
n Configureaclientwithanaddressfrom Internal_Clients.Connectfromthe
outsidetotheWWWserverinPublic_ServicesviaHTTP.Thepacketshouldbe
droppedrightatRouter_Eiconcard.
n Configureaclientwithanaddressfrom Internal_Dev.Connectfromtheoutside
totheDNSserverinPublic_ServicesviaNSLOOKUP.Thepacketshouldbe
droppedrightatRouter_Eiconcard.
n Configureaclientwithanaddressfromtheoutsideworld.Connectfromthe
outsidetotheWWWserverinPublic_ServicesviaHTTP.Thepacketshouldbe
allowedtopassthroughatRouter_Eiconcard.
n FromavalidclientinInternal_Admin,connecttotheoutsideworld.Therequest
30
http://www.webopedia.com/TERM/s/spoof.html
Commentaires sur ces manuels