Welcome to ISAserver.org

IP spoofing in VPN Site-to-Site implementation

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> IP spoofing in VPN Site-to-Site implementation

Page: [1]

Message

<< Older Topic Newer Topic >>

IP spoofing in VPN Site-to-Site implementation - 31.Jul.2012 3:24:33 AM

Virginity

Posts: 1
Joined: 18.Jun.2012
Status: offline

Hello!
There are many posts about IP spoofing issues, but I decided to create a new topic rather then to reply in someone else�s thread.

I�ve got Site-to-Site implementation with following details:
- TMG2010 SP2 (Win2k8 SP1 box) in Branch Office;
- ISA2006 SP1 (Win2k3 SP2 box) in Main Office;
- S2S protocol is L2TP/IPSec (with machine certificates);
See picture for more details:
ftp://ftp.efes.kz/network_diagram.png

Occasionally TMG detects IP Spoofing attacks coming from Branch internal network. As result clients from Branch can�t access any resources located in Main Office.

After some investigation I learned the source of that behavior:
1. TMG (or either Win2k8) registers IPs of both virtual PPP adapter (Branch) and Ethernet LAN in DNS zone.
2. Client asks the DNS server for IP address of TMG.domain.local;
3. Sometimes DNS server responds to client with TMG�s IP address assigned to PPP adapter instead of LAN adapter�s IP address (due to Round Robin feature).
4. Client tries to connect to IP address of TMG which is associated to S2S network (Branch in my case) and raise an IP spoofing attack.

I had several Site-to-Site installations (using Win2k3 and ISA2004/2006) in the past and never faced with such kind of problems. Perhaps because Win2k3 never tried to register IP address of virtual adapters in DNS or these attempts failed. By the way, DNS feature called �Netmask ordering� is enabled but doesn�t work as expected.

To get rid of this alarms and to provide clear access to clients to Main Office�s resources, I unchecked �Register this connection�s address in DNS� checkbox in TCP\IP properties of PPP adapter represented remote network (Branch in my case). Through �netsh� command or through �Routing and Remote Access� MMC console.
After that I receive no complaint from clients and see no warnings into TMG console regarding IP spoofing.

< Message edited by Virginity -- 31.Jul.2012 3:26:19 AM >