July 15th, 2005 09:18 PM
Spoofing external IP addresses?
I work for a bank and am will be implementing some new security settings soon via a VPN device...
What I'm wondering - from a security standpoint...is this....
The scenario is as follows - from our internal IP address scheme - the vpn device will be told which IP addresses will be allowed to send traffic to the other end...
From our vpn - it will travel to our host provider - to their firewall/router - and out to the internet where it gets assigned an external IP address. The other end requires us to provide them with that external IP address so that on their end, they will only accept traffic from that external IP address.
My question is this...
could someone setup a vpn at their house (no matter how costly it may be), and spoof both our internal IP address scheme so that it would leave their network - AND spoof the external IP address to match that of our host providers?
My impression was that there are no two external IP addresses that are the same and that the external IP addresses could not be spoofed - but Lord knows I've been wrong before....
If there woudl be another way to compromise this strategy, let me know - we are assuming that the bank's network itself is secure in that someone couldn't "hack" into it to gain access to the real external IP address.
July 15th, 2005 10:11 PM
vpn's usually have other forms of authentification other then simple IP rulesets... pls elaborate on make/software of your vpn
July 16th, 2005 01:03 AM
yes, they could. And you can get a VPN capable router for 99 bucks at compusa so cost is not even a factor in this. VPN will normally authenticate with username/password and hopefully have some encryption tied to it becasue it is possible to spoof the IP address.
July 16th, 2005 05:53 AM
try using certificate authentication or some type of 3-factor authentication like RSA
to SYN, or not to SYN. That is the question. -Shakespeare?