A firewall with an external interface configured as 10.10.10.10/24 and a sole internal interface, 192.168.0.254/25, receives egress traffic having a source address 192.168.0.7. Which one of the following actions will the firewall most likely take? (Wentz QOTD)
A. Drop the traffic
B. Forward the traffic as is
C. Forward the traffic after replacing 192.168.0.7 with 10.10.10.10
D. Send an ICMP echo request to 192.168.0.7 to validate the traffic
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is Drop the traffic.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams, and an informative reference for security professionals.
This question is written based on the following configuration:
The IP address, 192.168.0.254/25, of the firewall’s internal interface implies the firewall is connected to an internal network with the IP range 192.168.0.128~192.168.0.255, and it should receive egress traffic originating from the IP range only. In other words, the 192.168.0.7, which belongs to 192.168.0.0~192.168.0.127, is out of the range and might be spoofed. It’s reasonable for the firewall to drop the traffic with spoofed IP.
Why should I perform egress filtering?
Egress filtering prevents you from sending unwanted traffic out to the Internet. This could include leaking out private address space or stopping compromised systems attempting to communicate with remote hosts. Egress filtering can also help prevent information leaks due to misconfiguration, as well as some network mapping attempts. Finally, egress filtering can prevent internal systems from performing outbound IP spoofing attacks.
Source: SANS Egress Filtering FAQ
Physical Interface and Layer 3 Sub-interfaces
A Sole internal interface and a Sole internal network are quite different. If the case is the Sole internal network – then most probably fw will drop the traffic. Sole internal interface doesnt mean there is no another router/fw behind it – so the traffic can be forwarded as is.
Source: Khoren Mamikonyan
Khoren is right. However, there is more work to do. When it comes to Option B. Forward the traffic as is, it requires many assumptions for the firewall to forward the traffic as is. For example, many internal networks exist; one covers 192.168.0.7. They are well connected, routing can work adequately, and firewall policies allow the egress traffic with a source address 192.168.0.7 to pass through. This video demonstrates how to configure a physical network interface to support multiple layer 3 sub-interfaces.
- SANS Egress Filtering FAQ
- Preventing IP Spoofing
- Layer 3 sub-interfaces – Palo Alto Networks FireWall Concepts Training Series
- Global Information Assurance Certification Paper
- What it is IP Spoofing, How to Protect Against It
一台防火牆的外部介面IP設定為10.10.10.10/24，其唯一的內部介面的IP則是192.168.0.254/25. 這台防火牆接收到來源位址為192.168.0.7的對外(egress)流量。以下那項動作防火牆最有可能採取？ (Wentz QOTD)
D. 向192.168.0.7發送ICMP echo請求以驗證流量