On some of my production systems that need to be accessible outside of the LAN I will sometimes add a firewall restriction at the edge to only permit traffic on, say, RDP from a specific origin IP address or block. Of course, the IP needs to be static (or I need to update it whenever it changes) but my question is how reliable is this as a means of preventing attackers from accessing this system? In the case of RDP (the most common) there is still username/password authentication, but is relying on these IP-based firewall restrictions a bad idea?
My thought originally was that IP spoofing is more useful in denial-of-service, when you don't really care about the packets getting back to the originator, but in terms of gaining elevated access, is it really that easy for an attacker to spoof his IP and have packets somehow routed back to his real address?
Best Answer
As others have said spoofing a TCP conection is not easy - but still possible. Firewalls help - but don't address the fundamental issue. Authentication is good but only if it is intrinsically secure - hence I'd suggest you consider a VPN. This solves a lot of problems over what acces you want to expose remotely (only a single port for a tunnelling vpn) via whichyou can selectively and securely expose as much as you want without having to worry about the services implementing insecure protocols.