From: Frank Knobbe (fknobbeknobbeits.com)
Date: Mon Jul 28 2003 - 15:49:26 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2003-07-28 at 12:54, Rodrigo Barbosa wrote:
> My reasoning is that you have to trust your firewall. Sooner or later, the
> atacker will bruteforce it. So, the longer it takes for the
> attacker to understand there is a firewall there, the better. That is
> why I'm considering using tcp-reset. This way, the attacker will hit
> the traps faster. Maybe even same traps that will block his attack
> entirely.

Sure, everything can be figured out over time. To answer your question,
personally I drop everything silently on the firewall (like Russel) on
the outside interface. On the inside interface I prefer to send a
TCP-Reset so that internal devices get on with their business and don't
hang in timeout states. Keep in mind that my policy (just like yours I
hope) takes a "deny all, allow required" stance. Firewalls that allow
all and filter out certain port ranges may be better off with TCP-RST
while deny-all firewalls may be better off with silent drops.

I don't think you will always be able to completely hide a system though
(especially when it serves a purpose, like email ;)
However, a thought just came to mind. Would it be better (from a
cover-up point of view) to have the firewall send a spoofed
ICMP-Host-Unreachable packet with the routers IP address? :)

Cheers,
Frank

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQA/JYxVpo+MRgtrF98RAhWNAJ9GIw3Gmdqo4QjRzV8gA8k7I7LgNACeMYdz
CFwL8RWP4gCeRVb5MKQorAI=
=anBk
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]