Collaboration

Prevent outbound IP spoofing with the Cisco IOS

David Davis recently discussed how to <a href='http://www.techrepublic.com/article/5100-1035_11-6166899.html' target='_blank'>prevent inbound IP spoofing</a>, but outbound spoofing also poses a threat to your organization. Find out how to prevent outbound IP spoofing, and learn other steps you can take to keep malicious users from taking advantage of your network.

In a recent article, I discussed the importance of filtering out spoofed traffic from inbound Internet connections ("Prevent IP spoofing with the Cisco IOS"). However, inbound spoofing isn't the only threat out there. In fact, it's just as important to prevent outbound spoofing.

This time, let's look at protecting your organization from the other direction -- preventing spoofed IP packets and other harmful traffic from exiting your network and going to the Internet. You don't want your network to be a haven for malicious activities, right?

Hopefully, there's no malicious activity originating from your organization's network. But that doesn't mean it won't happen. Here are some common malicious activities that you want to prevent:

  • Outbound spoofed IP packets headed toward the Internet
  • SMTP e-mail sent from a PC directly to the Internet
  • Virus and worm traffic originating from your company via e-mail or other ports
  • The hacking of your Internet router

Prevent outbound IP address spoofing

As I mentioned in my previous article, there are certain IP addresses that companies should avoid using for communications on the Internet.

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16
  • 127.0.0.0/8
  • 224.0.0.0/3
  • 169.254.0.0/16
  • 240.0.0.0/4

Traffic that uses any of these IP addresses is very likely fake and malicious. Not only do you want to prevent traffic with source IP addresses in this range from coming from the Internet, but it's also important to prevent traffic with source IP addresses in this range from going to the Internet.

To do so, create an egress access control list (ACL) filter on the router, and apply it to the Internet interface in the outbound direction. Listing A offers an example.

This prevents any traffic from the specified IP address ranges from exiting your organization's network. (As I mentioned in the article about inbound IP spoofing, another way to protect your network from IP address spoofing is reverse path forwarding (RPF) -- or ip verify. For blocking outbound traffic, you would use the Fast Ethernet 0/0 interface of the router, rather than the serial interface.)

In addition to preventing packets with spoofed IP addresses from exiting your corporate network, there are other steps you should take to keep malicious users from taking advantage of your network.

Don't allow SMTP e-mail to send directly from a PC to the Internet

You don't want anyone to use your organization's network to send out spam. To prevent this, your firewall shouldn't allow traffic to come from your PCs and go directly to any port on the Internet.

In other words, control which type of traffic is traveling outbound through your Internet connection. Assuming your company has an internal e-mail server, all SMTP traffic going to the Internet should originate from that in-house server -- not from internal PCs.

You can accomplish this by using your firewall (or ACLs at the minimum) to allow only certain destination ports going to the Internet. For example, most companies only need to allow all PCs to go to port 80 and 443 on the Internet.

Keep virus and worm traffic from originating from your company

In many ways, you can prevent virus and worm traffic by controlling the ports used by client systems on the LAN to communicate to the Internet. However, restricting ports only goes so far, and malicious users can usually find a way around port restrictions.

To further prevent viruses and worms, consider using some kind of unified threat management (UTM) appliance such as Cisco ASA or Fortinet. Classified as anti-X appliances, both of these options block a number of security threats. For more information, check out Cisco's "Deployment Considerations: Comparing Converged and Dedicated Security Appliances" white paper.

Prevent the hacking of your Internet router

To secure your router, make sure you've configured SSH on your Cisco router, set up an ACL to define the source IP address of your management consoles, and run the Cisco's Security Device Manager (SDM) Security Audit feature to ensure you didn't miss plugging any of the common security holes.

Remember: While it's important to protect your private network from attackers on the Internet, it's just as vital to prevent these attackers from taking advantage of your network for their malicious ways. These four methods go a long way toward doing just that.

What steps have you taken to prevent attackers from using your network to launch attacks? Are you performing egress IP spoof filtering? Do you have a unified threat management appliance that filters outbound traffic for viruses and worms? Share your methods in this article's discussion.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

4 comments
tomtourville
tomtourville

For the purposes as the author describes of blocking internal traffic from exiting my network and going to the internet, I wonder if I've been doing this incorrectly. I've been applying this same list as Inbound (Ingress) to my Internal interface. Is there an advantage to applying it as the author says as an Egress list on the External (internet facing) interface ?

georgeou
georgeou

Restricting outbound web access from DMZ is good too. That alone would have stopped the Code Red worm since the exploit can't go out and download the rest of the payload.

ddavis
ddavis

Hi Tom, This is a good question. Thanks for reading and posting! You always want to block traffic closest to the SOURCE of that traffic. In the case of this anti-spoofing list with all the special/private IP addresses, I chose to apply it to the interface closest to the Internet because I know that there shouldn't be any IP packets with those addresses going out that interface. Now, if you know that your router doesn't need to communicate with any of those other networks, then you could apply it to the LAN interface as long as your internal network isn't included in the list. In other words, say that your router only communicates with the LAN and the Internet and you have a 192.168.1.0/24 network. You could remove that net from this list and apply the list to your internal LAN interface inbound. Thanks for reading TechRepublic! David

Dumphrey
Dumphrey

of a performance bonus in putting it on the inbound LAN interface? And would that not still allow that network outbound access?

Editor's Picks