[c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
robbie.jacka at regions.com
robbie.jacka at regions.com
Fri Apr 4 11:03:38 EDT 2008
I'd tend to think that it's less about portscans and more about preventing
someone using you to perform a bounced RST flood. Just my 0x2.
--
robbie
<nick.nauwelaerts
@thomson.com>
Sent by: To
cisco-nsp-bounces <cisco-nsp at puck.nether.net>
@puck.nether.net cc
Subject
04/04/2008 09:55 Re: [c-nsp] OT: Check Point v Cisco
AM PIX (ASA 5500 Series)
> -----Original Message-----
> From: A.L.M.Buxey at lboro.ac.uk [mailto:A.L.M.Buxey at lboro.ac.uk]
> Sent: Friday, April 04, 2008 16:42
> To: Javier Liendo
> Cc: Nauwelaerts, Nick (TCM); cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
>
> Hi,
>
> > for a firewall, not sending an RST for a denied connection, isn´t it
> > the "Right Thing" to do?
>
> ah, the perennial DROP or REJECT question.
Yup, I'm for rejecting. It's what applications expect and I still have not
heared any convincing arguments as to why I would want to drop instead. It
seems dropping increases your security in some magical way, but for a well
done portscan dropping isn't even an extra hurdle. All dropping does is
make troubleshooting a pain.
// nick
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list