FW: DROP or REJECT that is the question...

From: Bryan_McAninch@McAfee.com
Date: Thu Apr 05 2007 - 11:19:59 EDT

• Next message: Jamie Riden: "Re: DROP or REJECT that is the question..."
• Previous message: Mohamed Abdel Kader: "PIX configuration parser..."
• Maybe in reply to: Mohamed Abdel Kader: "DROP or REJECT that is the question..."
• Next in thread: Jamie Riden: "Re: DROP or REJECT that is the question..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

 
This has been debated time and time again, so I'll try to keep my
response concise. It all boils down to how you want your firewall to
appear to an attacker.

Rejects allow you to make a firewall appear as a non-firewalled "normal"
host, so long as you use the proper rejects; IMHO, this is an easily
implemented and effective disinformation tactic. For example, a
non-firewalled host (with no active ports) should respond to UDP
connections with ICMP port unreachables and TCP connections with TCP
resets.

Conversely, if you simply drop the packet, it becomes obvious that
something between the attacker and the target, even the target itself,
is dropping packets. If a host or network is unreachable, which seems to
be the intended goal of dropping packets, the target's previous-hop
router would return an ICMP host unreachable or ICMP network unreachable
error, respectively (something you cannot control).

Just my $.02

Cheers,
Bryan

----- Original Message -----
From: "Mohamed Abdel Kader" <mak.pen@gmail.com>
To: <pen-test@securityfocus.com>
Sent: Tuesday, April 03, 2007 1:07 AM
Subject: DROP or REJECT that is the question...

> All,
>
> I wanted to gather your opinions on whether firewall rules should be
> Dropped
>
> Or Rejected. To me I believe that both give away the firewall rules.
>
>
>
> What does everyone out there think?
>
>
>
>
------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
>
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
>
------------------------------------------------------------------------
>
>
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Jamie Riden: "Re: DROP or REJECT that is the question..."
• Previous message: Mohamed Abdel Kader: "PIX configuration parser..."
• Maybe in reply to: Mohamed Abdel Kader: "DROP or REJECT that is the question..."
• Next in thread: Jamie Riden: "Re: DROP or REJECT that is the question..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:41 EDT