[c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
nick.nauwelaerts at thomson.com
nick.nauwelaerts at thomson.com
Fri Apr 4 10:55:53 EDT 2008
> -----Original Message-----
> From: A.L.M.Buxey at lboro.ac.uk [mailto:A.L.M.Buxey at lboro.ac.uk]
> Sent: Friday, April 04, 2008 16:42
> To: Javier Liendo
> Cc: Nauwelaerts, Nick (TCM); cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
>
> Hi,
>
> > for a firewall, not sending an RST for a denied connection, isn´t it
> > the "Right Thing" to do?
>
> ah, the perennial DROP or REJECT question.
Yup, I'm for rejecting. It's what applications expect and I still have not heared any convincing arguments as to why I would want to drop instead. It seems dropping increases your security in some magical way, but for a well done portscan dropping isn't even an extra hurdle. All dropping does is make troubleshooting a pain.
// nick
More information about the cisco-nsp
mailing list