Prevent IP Source Address Spoofing in Gateways
Gateways block fake IP addresses to protect network entries.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Gateways perform ingress traffic filtering to detect and prevent IP source address spoofing.
Source: ASD Information Security Manual (ISM)
Plain language
Gateways, which are entry points to your network, need to block any fake addresses trying to come in. This is like having a bouncer at a club who checks IDs to make sure only real, authorised people get in. Without this check, malicious actors could pretend to be someone they’re not and sneak into your network, potentially accessing sensitive data or causing harm.
Why it matters
If gateways don't filter spoofed source IPs, attackers can masquerade as trusted hosts, bypass ACLs and enable attacks.
Operational notes
Implement ingress anti-spoofing (BCP38/uRPF) on gateways; maintain allowlists for expected source ranges and alert on drops.
Implementation tips
- IT team should configure the gateway: Ensure the gateway devices are set up to check all incoming traffic for fake addresses. This can be done by adjusting the settings on your firewall or router to verify that incoming requests are from legitimate and known sources.
- System administrator should update filtering rules: Regularly update the rules that the gateway uses to identify fake addresses. This includes staying informed about current threats by reviewing cybersecurity advisories from the Australian Cyber Security Centre (ACSC).
- Network engineer to monitor logs: Set up a system where network logs are reviewed daily to spot any anomalies. This involves checking for repeated access attempts from unusual locations which might indicate spoofing attempts.
- Business owner to establish a review schedule: Schedule quarterly reviews of gateway security with the IT team. Include a review of the logs, settings, and any incidents to ensure everything is functioning correctly.
- Manager to provide training: Ensure that staff responsible for network monitoring are trained in recognising signs of IP spoofing. This includes recognising unusual patterns in the logs and knowing the correct escalation procedures.
Audit / evidence tips
-
Ask: gateway configuration documentation: Request the current configuration settings of the network gateway
Good: result shows active filtering rules specifically designed to block spoofed IP addresses
-
Ask: a list of security advisories: Request the records of recent security advisories followed by the organisation
Good: result shows a list of actions taken in response to advisories from credible sources like the ACSC
-
Ask: a report on log reviews: Obtain the logs and the last few reviews conducted on them
-
Ask: the training records of IT staff: Request documentation of recent security training sessions for staff
Good: record will show focused training sessions on identifying and managing spoofing attempts
-
Ask: minutes from review meetings: Request minutes from the last few security review meetings
Cross-framework mappings
How ISM-1427 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.20 | ISM-1427 requires gateways to perform ingress traffic filtering to detect and prevent IP source address spoofing | |