Prevent IP Source Address Spoofing in Gateways
Gateways block fake IP addresses to protect network entries.
Plain language
Gateways, which are entry points to your network, need to block any fake addresses trying to come in. This is like having a bouncer at a club who checks IDs to make sure only real, authorised people get in. Without this check, malicious actors could pretend to be someone they’re not and sneak into your network, potentially accessing sensitive data or causing harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Gateways perform ingress traffic filtering to detect and prevent IP source address spoofing.
Why it matters
If gateways don't filter spoofed source IPs, attackers can masquerade as trusted hosts, bypass ACLs and enable attacks.
Operational notes
Implement ingress anti-spoofing (BCP38/uRPF) on gateways; maintain allowlists for expected source ranges and alert on drops.
Implementation tips
- IT team should configure the gateway: Ensure the gateway devices are set up to check all incoming traffic for fake addresses. This can be done by adjusting the settings on your firewall or router to verify that incoming requests are from legitimate and known sources.
- System administrator should update filtering rules: Regularly update the rules that the gateway uses to identify fake addresses. This includes staying informed about current threats by reviewing cybersecurity advisories from the Australian Cyber Security Centre (ACSC).
- Network engineer to monitor logs: Set up a system where network logs are reviewed daily to spot any anomalies. This involves checking for repeated access attempts from unusual locations which might indicate spoofing attempts.
- Business owner to establish a review schedule: Schedule quarterly reviews of gateway security with the IT team. Include a review of the logs, settings, and any incidents to ensure everything is functioning correctly.
- Manager to provide training: Ensure that staff responsible for network monitoring are trained in recognising signs of IP spoofing. This includes recognising unusual patterns in the logs and knowing the correct escalation procedures.
Audit / evidence tips
-
Askgateway configuration documentation: Request the current configuration settings of the network gateway
Goodresult shows active filtering rules specifically designed to block spoofed IP addresses
-
Aska list of security advisories: Request the records of recent security advisories followed by the organisation
Goodresult shows a list of actions taken in response to advisories from credible sources like the ACSC
-
Aska report on log reviews: Obtain the logs and the last few reviews conducted on them
-
Askthe training records of IT staff: Request documentation of recent security training sessions for staff
Goodrecord will show focused training sessions on identifying and managing spoofing attempts
-
Askminutes from review meetings: Request minutes from the last few security review meetings
Cross-framework mappings
How ISM-1427 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.20 | ISM-1427 requires gateways to perform ingress traffic filtering to detect and prevent IP source address spoofing | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.