07-01-2010 06:01 AM - edited 03-10-2019 05:02 AM
I have an AIP-SSM-20 module that I am in the process of upgrading the system images and the signatures.
I was wondering if someone could guide me in the right direction on how to configure an anti-spoofing policy on the sensor.
If you have some sample configs that I could look at or even if you can explain to me how to do it through the GUI I would really appreciate it.
07-02-2010 04:37 PM
If you mean Anti-IP spoofing -
then it's typically applied on routing devices (firewalls, routers, L3 switches) and not on the firewall.
Unicast RPF is your friend on ASA.
07-04-2010 02:46 PM
Carlos,
It depends on what type of attack you are attempting to protect against. RPF will help you when a host spoofs an address on an interface where it should not live. For instance, if your internal network is 192.168.1.0/24 and a packet arrives on the outside of your firewall with a source address of 192.168.1.2, the appliance can drop the packet due to the information in its routing table. However, SYN floods from the Internet are a different matter. There is a mechanism on the IPS that can help you with this. Please see the document below for the SYN Cookie functionality of IPS Signature 3050/0.
https://supportforums.cisco.com/docs/DOC-11874
Thank you,
Blayne Dreier
Cisco TAC IDS Team
**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide