Scribd
Upload
63 views13 pages

Firewall/VPN Routing and Anti-Spoofing

This document discusses routing and antispoofing configuration on a next generation firewall (NGFW). It covers defining static routes to dictate traffic flow, special routing considerations like dynamic IP addresses and policy routing. Dynamic routing protocols like RIP, OSPF and BGP are also introduced. The document explains how antispoofing helps prevent IP spoofing attacks by discarding packets with spoofed source IPs unless specifically allowed by routing and policy. Antispoofing rules are automatically generated based on routing but can be manually adjusted if needed. The associated lab guide instructs how to define a router and default static route on the NGFW.

Uploaded by

omarptc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
63 views13 pages

Firewall/VPN Routing and Anti-Spoofing

This document discusses routing and antispoofing configuration on a next generation firewall (NGFW). It covers defining static routes to dictate traffic flow, special routing considerations like dynamic IP addresses and policy routing. Dynamic routing protocols like RIP, OSPF and BGP are also introduced. The document explains how antispoofing helps prevent IP spoofing attacks by discarding packets with spoofed source IPs unless specifically allowed by routing and policy. Antispoofing rules are automatically generated based on routing but can be manually adjusted if needed. The associated lab guide instructs how to define a router and default static route on the NGFW.

Uploaded by

omarptc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 13

​Firewall/VPN

Routing and Anti-Spoofing

Module 4

Routing and Antispoofing


Routing and Antispoofing
Module Objectives
Upon completion of this module, you should be able to:

• Apply static routes to the NGFW


• Describe the use case for static source routing
• List at least three supported dynamic routing protocols
• Explain IP spoofing and the role of anti-spoofing

Routing and Antispoofing


Content
Module Topics

Static Routing

Routing Configuration

Special Routing Conditions

Policy Routing

Dynamic Routing Overview

Routing and Antispoofing


Static Routing
Defines next hop destination for packets that reach NGFW

?
?
?

?
NGFW FW/VPN

• Traffic reaches NGFW


• Routing dictates which interface the traffic leaves
based on the destination network

Routing and Antispoofing 4


Routing Configuration

Static Routing is created by


using the Routing Tools Pane
found in the routing area of the
Engine Editor
Routes to directly-connected
networks are configured
automatically

Routing and Antispoofing


Special Routing Conditions
Dynamic IP Address

Routing when a firewall has a dynamic IP address


Management connections are initiated from node with dynamic control
interface

Routing and Antispoofing


Special Routing Conditions
Policy Routing

Packets from specific source IP addresses are routed through a selected


gateway

Routing and Antispoofing


Dynamic Routing

Protocols
• IGMP proxy (RFC 4605)
• RIP version 1 (RFC 1058)
• RIP version 2 (RFC 2453)
• OSPF version 2 (RFC 2328)
• BGP version 4 (RFC 1771)
• PIM-SM (RFC 4601)
Single node or standby cluster
Local configuration through CLI
Route monitoring and configuration backup /
restore through Management Client
Route-based VPN for dynamic routing
protocol updates and multicast traffic

Routing and Antispoofing


Special Routing Conditions
Multicast Routing

Static IP multicast routing


• Relaying multicast traffic through
firewall in a controlled way
IGMP Proxy
• Multicast routing support through IGMP
Proxy
• Most useful method to support
“dynamic” multicast routing
Route-based VPN to let the multicast
traffic through the VPN

Routing and Antispoofing


Antispoofing

Eth1: Source Eth0: Source


192.168.1.23 192.168.1.23
Spoofed Packet  Legitimate Packet 
Discard Allow Protected
Internet Network

Attacker: Internal Host:


Real source IP : 142.12.1.50 Real source IP: 192.168.1.23
Spoofed source IP :
192.168.1.23

Routing and Antispoofing


Antispoofing Configuration

Antispoofing configuration is
generated automatically based on the
routing tree.
Can be adjusted manually if needed.

Routing and Antispoofing


Routing and Antispoofing
Review

What routes are created Routing and Antispoofing


automatically?
What special routing features does
the Firewall support?
Explain IP address spoofing attacks.
How is the Antispoofing
configuration generated?
Give an example of when you would
need to adjust the Antispoofing
configuration.
How do you define the default route?

Routing and Antispoofing


Lab 3: Routing and
Antispoofing

Goals:
• Define a Router
• Define a Static Default
Route
Estimated Time: 10-minutes
Please refer to the Lab Guide for lab
details

Routing and Antispoofing


Routing and Antispoofing

You might also like