[c-nsp] OT: Check Point v Cisco PIX (ASA 5500 Series)
Yaroslav Doroshenko
yard at mtu.ru
Fri Apr 4 14:37:30 EDT 2008
I believe dropping is also preferable if you need more performance and
bandwidth capacity although I'm not sure sending RST cost CPU time on
ASA platform.
On Apr 4, 2008, at 7:18 PM, <nick.nauwelaerts at thomson.com> <nick.nauwelaerts at thomson.com
> wrote:
>> I'd tend to think that it's less about portscans and more
>> about preventing
>> someone using you to perform a bounced RST flood. Just my 0x2.
>
> That's a good argument, but you can use your regular rate limiters
> (which are in place for icmp for example) and anomaly detection for
> that. Or whatever antispoofing you might have in place
--
Yaroslav Doroshenko
More information about the cisco-nsp
mailing list