Patch-ID# 102630-01 Keywords: antispoof anti spoof ip security Synopsis: Firewall-1 1.0.7: Circumvents IP spoofing Date: Jul/19/95 Solaris Release: 1.1 SunOS Release: 4.1.3 Unbundled Product: Firewall-1 Unbundled Release: 1.0.7 BugId's fixed with this patch: 1214765 Changes incorporated in this version: Relevant Architectures: sparc Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required by this patch: Obsoleted by: Files included with this patch: antispoof Problem Description: 1214765 Firewall-1 1.0.7: Does not check for falsified IP addresses. RESPONSE TO CERT ADVISORY CA-95:01 "IP Spoofing Attacks" NOTICE: SECURITY ENHANCEMENT FOR FIREWALL-1 -- To further tighten FireWall-1 security against the type of attack described in CERT advisory CA-95:01 on spoofing attacks (also reported in the New York Times and in other news articles) install the following enhancement. This enhancement uses the flexibilty of the underlying FireWall-1 architecture to add default functionality to FireWall-1 without any changes to the binary object files, by using the FireWall-1 scripting language. The CERT Coordination Center has received reports of attacks in which intruders create packets with spoofed source IP addresses. These attacks exploit applications that use authentication based on IP addresses (e.g. rshd, rlogin, X11, and other TCP wrappers). This exploitation may lead to unauthorized access on the targeted systems. Please note that this attack does not involve source routing. The 'antispoof' script enhances FireWall-1 capabilities by explicitly identifying and blocking spoofing attempts, and generating an alert. The antispoof script adds code that identifies packets arriving on any of the interfaces connected to the external world (e.g. the Internet), which pretend to carry source addresses from the internal network. This is done by adding code to a standard FireWall-1 prologue file which is part of every filter configuration. The script simplifies installation of the required code by asking the user questions. In order to use the script the user must know the network addresses and network masks of all internal networks, as well as the names of the external interfaces (e.g. le1). The script should be run on each FireWall-1 management station in your network. Patch Installation Instructions: ------------------------------- 0. Make a note of the network addresses and network masks for *all* internal networks and Make a note of the name of the external interface (e.g. le1). 1. Go to the directory named 'patch', in the directory in which the FireWall-1 distribution diskette was extracted. (e.g. /tmp/patch). 2. Run the antispoof script (as a super-user): # ./antispoof 3. The script will ask you for the gateway host name, external interface name(s), and for the network number (e.g. 192.9.200.0) and network mask (e.g. 255.255.255.0) for every internal network. If you have multiple gateways managed by the same control station (GUI), the script will let you define them one after the other. 4. After you have inserted all the information required the script will generate the required code and display it. The script will ask you to approve the insertion of that code into the prologue file (/etc/fw/lib/fwui_head.def). After the script has finished you may verify that the lines were inserted in the prologue file by using 'more /etc/fw/lib/fwui_head.def'. 5. Re-install your filter with the GUI or command line interface: e.g. Use the "Filter->Install" Menu on the rulebase editor screen, or # fw load /etc/fw/conf/your-filtername.pf NOTES: 1. If you have a large number of seperate internal networks (more than 20) the process of entering details for each by hand will be time consuming. You may wish to call your FireWall-1 support provider for advise on simplifying the process. 2. If you are running multiple gateways from the same control workstation, and you do not have the same interfaces on all gateway machines (e.g. one machine has an external tr0, while the others do not), you may experience a problem installing filters after executing this script. Please contact your FireWall-1 support provider, *before* running the 'antispoof' script, to get a patch for this problem.