TechLibrary

Navigation Back up to About Overview

Example: Blocking IP Spoofing

This example shows how to configure a screen to block IP spoof attacks.

Requirements

Before you begin, understand how IP Spoofing works. See Understanding IP Spoofing.

Overview

One method of attempting to gain access to a restricted area of a network is to insert a bogus source address in the packet header to make the packet appear to come from a trusted source. This technique is called IP spoofing.

In this example, you configure a screen called screen-1 to block IP spoof attacks and enable the screen in the zone-1 security zone.

Configuration

Step-by-Step Procedure

To block IP spoofing:

  1. Configure the screen.
    [edit ]user@host# set security screen ids-option screen-1 ip spoofing
  2. Enable the screen in the security zone.
    [edit]user@host# set security zone security-zone zone-1 screen screen-1
  3. If you are done configuring the device, commit the configuration.
    [edit]user@host# commit

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the Screens in the Security Zone

Purpose

Verify that the screen is enabled in the security zone.

Action

From operational mode, enter the show security zones command.

[edit]

user@host> show security zones
Security zone: zone-1
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Screen: screen-1  
  Interfaces bound: 1
  Interfaces:
    ge-1/0/0.0

Verifying the Security Screen Configuration

Purpose

Display the configuration information about the security screen.

Action

From operational mode, enter the show security screen ids-option screen-name command.

[edit]

user@host> show security screen ids-option screen-1
Screen object status:

  Name                      Value
  IP spoofing               enabled   

 
       

Published: 2012-10-05