How to disable "Source Routing"? The SANS standard has this as a checklist

Author
user504892
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/07/21 07:14:28
  • Status: offline
2021/07/21 07:22:32 (permalink)
0

How to disable "Source Routing"? The SANS standard has this as a checklist

The official item is "Ensure that loose source routing and strict source routing (lsrsr & ssrr) are blocked and logged by the firewall."  
  
It's my understanding that "Policy Routes" in FortiGate is the same thing as "Source Routing", as that's where you can route network traffic based on the source. This matches the term "source routing" and the definitions for it and LSRSR & SSRR that I look up online.
Can you even disable "Policy Routes"? 
 
Does anyone else comply with SANS and have information on this?
#1

1 Reply Related Threads

    emnoc
    Expert Member
    • Total Posts : 6160
    • Scores: 429
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: How to disable "Source Routing"? The SANS standard has this as a checklist 2021/07/21 16:26:52 (permalink)
    0
    A  few things come to mind;
     
    PBR ( policy base routing  ) is not source routing 
     
    What you need to study is Loose source routing  and strict source routing concepts and almost no upstreams devices support datagrams with routing-details in the ip-header. They will drop this and not route the packets. I believe the fortigate and any NGFW also does this by design it's called cleanup strict checking 
     
    You can maybe test this behavior "traceroute -g "x.x.x.x a.a.a.a c.c.c.c". 1.1.1.1 and run a capture and diag debug flow on your firewall 
     
    And lastly I never heard of anybody trying to control this at the fw they do it at the edge-routers.
     
    Ken Felix
     
    post edited by emnoc - 2021/07/21 19:59:40

    Attached Image(s)


    PCNSE 
    NSE 
    StrongSwan  
    #2
    Jump to:
    © 2021 APG vNext Commercial Version 5.5