[Dshield] firewall policy recomendations
sjohnston at cavion.com
Wed May 29 16:17:30 GMT 2002
The drop argument is one that I will always support. Not only does it
have the advantage of not revealing that anything is there, but you
don't have to waste the bandwidth sending RST back to the scanner.
It also provides protection for outside victims that an attacker may use
my system as one of many reflective flooding devices.
On Wed, 2002-05-29 at 08:01, Chad Albert wrote:
> I am curious to know what most people on this list think is the best
> practice when blocking traffic with a firewall. I see many firewalls that
> drop unwanted TCP packets, many that send a rst packet, some drop unwanted
> UDP, and some send ICMP type 3 (destination unreachable). I have heard
> arguments that suggest rst packets and ICMP type 3 hide the fact that you
> have a firewall by responding as if it were coming from a non protected host
> that is just not listening on any ports. This makes it harder for an
> attacker to size up his / her target. I have also heard the opinion that
> dropping the packets will just make it harder for the attacker to get to the
> host at all. I tend to lean toward the second option since it is generally
> not that hard to see that there is a firewall in place and examining the
> responses can give away make and model, but I would like to hear from other
> firewall admins to see if my opinion needs to change.
> Chad Albert
> Microsoft "Where do you want to go today?"
> Linux "Where do you want to go tomorrow?"
> FreeBSD "Are you guys coming or what?"
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.365 / Virus Database: 202 - Release Date: 5/24/2002
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
More information about the list