[Dshield] firewall policy recomendations

Russell Washington russ.washington at vaultsentry.com
Wed May 29 15:17:23 GMT 2002


I vote for the 'drop' option, partly for the reasons you mentioned, and
partly because I don't want my firewall responding to each and every packet
some genius decides to try to flood it out with.

Remember, hackers know what firewalls are and the various 'tricks' they
employ.  If I were trying to hack IP address X, I would probably assume that
if I had the right IP address and I was getting replies of *any* kind, they
were coming from the firewall.  I could be wrong in such an assumption, but
the alternative would be to look elsewhere; so why not pound on whatever's
answering?

And besides, you never know what TCP vulnerabilities your firewall has that
nobody knows about yet.  I say don't give the 'bad guys' an opportunity to
help you find out.

Drop 'em.  Drop 'em all. :)

-----Original Message-----
From: Chad Albert [mailto:chadalbert at mchsi.com] 
Sent: Wednesday, May 29, 2002 7:01 AM
To: list at dshield.org
Subject: [Dshield] firewall policy recomendations


I am curious to know what most people on this list think is the best
practice when blocking traffic with a firewall.  I see many firewalls that
drop unwanted TCP packets, many that send a rst packet, some drop unwanted
UDP, and some send ICMP type 3 (destination unreachable).  I have heard
arguments that suggest rst packets and ICMP type 3 hide the fact that you
have a firewall by responding as if it were coming from a non protected host
that is just not listening on any ports.  This makes it harder for an
attacker to size up his / her target.  I have also heard the opinion that
dropping the packets will just make it harder for the attacker to get to the
host at all.  I tend to lean toward the second option since it is generally
not that hard to see that there is a firewall in place and examining the
responses can give away make and model, but I would like to hear from other
firewall admins to see if my opinion needs to change.

TIA

Chad Albert




=========================================
Microsoft     "Where do you want to go today?"
Linux           "Where do you want to go tomorrow?"
FreeBSD     "Are you guys coming or what?"
=========================================






---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.365 / Virus Database: 202 - Release Date: 5/24/2002

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list