I’ve been doing more consulting work and am surprised by the number of organizations that don’t use anti-spoofing filters within their networks. An anti-spoofing filter is placed on the input side of a router interface of a user subnet and only allows packets through that are within the address range of that subnet. The intent is to exclude packets that have invalid source addresses. Just make sure that the filter doesn’t exclude the multicast and broadcast addresses and routing protocol updates that are needed for normal network operations.
I would want to log all denies in an anti-spoofing filter and send them to the security group. The report would allow them to identify that a system has been compromised or misconfigured. While it is more work to configure the anti-spoofing filters, they provide an additional level of visibility into what is happening in the network.
I think of anti-spoofing filters as the inverse of Netflow. Netflow tells you what traffic is being forwarded while an anti-spoofing filter tells you that certain traffic is not being forwarded. Modern security recommendations are “security in depth” and anti-spoofing filters are another valuable part of the security toolkit.
-Terry
_____________________________________________________________________________________________
Re-posted with Permission
NetCraftsmen would like to acknowledge Infoblox for their permission to re-post this article which originally appeared in the Applied Infrastructure blog under http://www.infoblox.com/en/communities/blogs.html