Ip Spoofing And Ips Protection With A Cisco Asa 5500 Firewall

The Cisco ASA firewall appliance provides great security protection out-of-the box with its default configuration. However, to increase the security protection even further, there are several configuration enhancements that can be used to implement additional security features. Two of these features are IP Spoofing protection and basic Intrusion Prevention (IPS) support.

IP Spoofing Protection

IP spoofing attacks are those that change the actual source IP address of packets to obscure their true origin. This means that packets arriving at a particular interface (e.g inside) must have a valid source IP address that matches the correct source interface according to the firewall routing table. Normally the firewall only looks at the destination address of a packet in order to forward it accordingly. If you enable the IP Spoofing mechanism, the firewall checks also the source address of the packets.

If for example our inside interface connects to internal network 192.168.1.0/24, this means that packets arriving at the inside firewall interface must have a source address in the range 192.168.1.0/24 otherwise they will be dropped (if IP Spoofing is configured).

The IP Spoofing feature uses the Unicast Reverse Path Forwarding (Unicast RPF) mechanism, which dictates that for any traffic that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address.

To enable IP Spoofing protection, enter the following command:

CiscoASA5500(config)# ip verify reverse-path interface "interface_name"

For example, to enable IP spoofing on the inside interface, use the following command:

CiscoASA5500(config)# ip verify reverse-path interface inside

Basic IPS Protection

Although the ASA Firewall supports full IPS functionality with an extra IPS hardware module (AIP-SSM), it supports also basic IPS protection which is built-in by default without using an extra hardware module. The built-in IPS feature supports a basic list of signatures and you can configure the security appliance to perform one or more actions on traffic that matches a signature. The command that implements the basic IPS feature is called "ip audit".

There are two signature groups embedded in the firewall software: "Informational" and "Attack" signatures. You can define an IP audit policy for each signature group as following:

For informational signatures:

CiscoASA5500 (config)# ip audit name "name" info [action [alarm] [drop] [reset]]

For attack signatures:

CiscoASA5500 (config)# ip audit name "name" attack [action [alarm] [drop] [reset]]

The keywords [alarm], [drop], [reset] define the actions to perform on a malicious packet that matches one of the signatures. [alarm] generates a system message showing that a packet matched a signature, [drop] drops the packet, and [reset] drops the packet and closes the connection.