I am dealing with an application that is protected by a firewall and only allows access from specific IP addresses (which are application web servers).
A bit gentle, and it would be very difficult to introduce another level of authentication / security.
My understanding of network interaction is not very great, because it is not my topic, but in my head I wrote the following scenario:
Someone knows the IP address of one of our application servers and wants to fake it in order to access another application that he knows as a socket and listening protocol.
Therefore, it changes the header of its IP packets to have the Webserver IP address as a transmitter.
What will happen next?
A: his ISP rejects the packet and says, βHey, this is not the IP address that you assigned to me.β - Problem resolved
B: Internet service provider passes the packet to the next level (its uplink ...)
Suppose the ISP was hacked or the packet was transmitted without verification (I do not know if this is the case)
What will happen next?
A: the carrier rejects the packet and says: "Hey, the IP address is not in the IP range that we agreed on, you are working!" - Now, if my web server is not managed by the same provider that was hacked by my attacker - Problema resolved
B: The ISP does not check the package or is not compromised and forwards it through its link.
Now Iβm quite sure that the ARE IP addresses are checked and filtered when the router is transmitted. Otherwise, it would be complete anarchy.
, : , IP-, , IP-, -, - .
, , , - - .
, IP- IP-?
(, !)
, ββ, , . . .
, , , , - , , ?
.
: , - -, , , ?
, NFS IP- . - , NFS- IP-?
, . , -, . - , , , .
!