Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Blocking IP Spoofing

    This example shows how to configure a screen to block IP spoof attacks.


    Before you begin, understand how IP Spoofing works. See Understanding IP Spoofing.


    One method of attempting to gain access to a restricted area of a network is to insert a bogus source address in the packet header to make the packet appear to come from a trusted source. This technique is called IP spoofing.

    In this example, you configure a screen called screen-1 to block IP spoof attacks and enable the screen in the zone-1 security zone.


    Step-by-Step Procedure

    To block IP spoofing:

    1. Configure the screen.
      [edit ]user@host# set security screen ids-option screen-1 ip spoofing
    2. Enable the screen in the security zone.
      [edit]user@host# set security zone security-zone zone-1 screen screen-1
    3. If you are done configuring the device, commit the configuration.
      [edit]user@host# commit


    To confirm that the configuration is working properly, perform these tasks:

    Verifying the Screens in the Security Zone


    Verify that the screen is enabled in the security zone.


    From operational mode, enter the show security zones command.


    user@host> show security zones
    Security zone: zone-1
      Send reset for non-SYN session TCP packets: Off
      Policy configurable: Yes  
      Screen: screen-1  
      Interfaces bound: 1

    Verifying the Security Screen Configuration


    Display the configuration information about the security screen.


    From operational mode, enter the show security screen ids-option screen-name command.


    user@host> show security screen ids-option screen-1
    Screen object status:
      Name                      Value
      IP spoofing               enabled   

    Published: 2012-10-05