Anti Spoofing

cdetirado · ‎07-01-2010

I have an AIP-SSM-20 module that I am in the process of upgrading the system images and the signatures.

I was wondering if someone could guide me in the right direction on how to configure an anti-spoofing policy on the sensor.

If you have some sample configs that I could look at or even if you can explain to me how to do it through the GUI I would really appreciate it.

Marcin Latosiewicz · ‎07-02-2010

If you mean Anti-IP spoofing -

then it's typically applied on routing devices (firewalls, routers, L3 switches) and not on the firewall.

Unicast RPF is your friend on ASA.

Christopher Dreier · ‎07-04-2010

Carlos,

It depends on what type of attack you are attempting to protect against. RPF will help you when a host spoofs an address on an interface where it should not live. For instance, if your internal network is 192.168.1.0/24 and a packet arrives on the outside of your firewall with a source address of 192.168.1.2, the appliance can drop the packet due to the information in its routing table. However, SYN floods from the Internet are a different matter. There is a mechanism on the IPS that can help you with this. Please see the document below for the SYN Cookie functionality of IPS Signature 3050/0.

https://supportforums.cisco.com/docs/DOC-11874

Thank you,
Blayne Dreier
Cisco TAC IDS Team

**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast