Patch-ID# 102630-01
Keywords: antispoof anti spoof ip security
Synopsis: Firewall-1 1.0.7: Circumvents IP spoofing
Date: Jul/19/95

Solaris Release: 1.1

SunOS Release: 4.1.3

Unbundled Product: Firewall-1

Unbundled Release: 1.0.7

BugId's fixed with this patch: 1214765   

Changes incorporated in this version:

Relevant Architectures: sparc 

Patches accumulated and obsoleted by this patch:

Patches which conflict with this patch:

Patches required by this patch:

Obsoleted by:

Files included with this patch: antispoof

Problem Description:

 1214765 Firewall-1 1.0.7:  Does not check for falsified IP addresses.

RESPONSE TO CERT ADVISORY CA-95:01 "IP Spoofing Attacks"
NOTICE: SECURITY ENHANCEMENT FOR FIREWALL-1 --

To further tighten FireWall-1 security against the type of attack described
in CERT advisory CA-95:01 on spoofing attacks (also reported in the New York
Times and in other news articles) install the following enhancement.

This enhancement uses the flexibilty of the underlying FireWall-1 architecture 
to add default functionality to FireWall-1 without any changes to the
binary object files, by using the FireWall-1 scripting language.


The CERT Coordination Center has received reports of attacks in which
intruders create packets with spoofed source IP addresses. These attacks
exploit applications that use authentication based on IP addresses (e.g.
rshd, rlogin, X11, and other TCP wrappers). This exploitation may lead to
unauthorized access on the targeted systems.  Please note that this attack
does not involve source routing.

The 'antispoof' script enhances FireWall-1 capabilities by explicitly
identifying and blocking spoofing attempts, and generating an alert.
The antispoof script adds code that identifies packets arriving on any of
the interfaces connected to the external world (e.g. the Internet),
which pretend to carry source addresses from the internal network.
This is done by adding code to a standard FireWall-1 prologue file which
is part of every filter configuration.

The script simplifies installation of the required code by asking the user
questions. In order to use the script the user must know the network
addresses and network masks of all internal networks, as well as the names
of the external interfaces (e.g. le1).

The script should be run on each FireWall-1 management station in your
network.

Patch Installation Instructions:
-------------------------------

0. Make a note of the network addresses and network masks for *all*
   internal networks and Make a note of the name of the external 
   interface (e.g. le1).

1. Go to the directory named 'patch', in the directory in which the
   FireWall-1 distribution diskette was extracted. (e.g. /tmp/patch).

2. Run the antispoof script (as a super-user):
	# ./antispoof

3. The script will ask you for the gateway host name, external 
   interface name(s), and for the network number (e.g. 192.9.200.0) and
   network mask (e.g. 255.255.255.0) for every internal network.

   If you have multiple gateways managed by the same control station (GUI),
   the script will let you define them one after the other.


4. After you have inserted all the information required the script will
   generate the required code and display it. The script will ask you to
   approve the insertion of that code into the prologue file
   (/etc/fw/lib/fwui_head.def).
   After the script has finished you may verify that the lines were
   inserted in the prologue file by using 'more /etc/fw/lib/fwui_head.def'.

5. Re-install your filter with the GUI or command line interface:
   e.g. Use the "Filter->Install" Menu on the rulebase editor screen, or

	# fw load /etc/fw/conf/your-filtername.pf

NOTES:
1. If you have a large number of seperate internal networks (more than 20)
   the process of entering details for each by hand will be time consuming.
   You may wish to call your FireWall-1 support provider for advise on
   simplifying the process.

2. If you are running multiple gateways from the same control workstation,
   and you do not have the same interfaces on all gateway machines 
   (e.g. one machine has an external tr0, while the others do
   not), you may experience a problem installing filters after executing this
   script.  Please contact your FireWall-1 support provider, *before*
   running the 'antispoof' script, to get a patch for this problem.















