Understood, and agreed, in most cases it might well be a good idea to be
fairly obscure about what you do and do not allow. Then again, certain
services like auth/ident are commonly thought to be useless in that the
information can be forged. Those kinds of services, unless there is a
compelling reason to attempt to completely obscure your setup and hide
everything from a potential attacker, an rst might not be all that
painful. It depends upon the assest and the needs of the network you are
protecting. One size seldom fits all...
Thanks,
Ron DuFresne
On Mon, 13 Mar 2000, dan Harrison wrote:
> Once you tell an attacker what protocol and port you don't want to
> talk on they know where to focus their attacks. It might be
> considered good net-iquette but it's bad security to let the other
> guy know anything beyond what you have to. Yes you might have
> legitimate traffic hanging but if the traffic is legitimate why would
> you need to drop or reset?
>
> Just my 3.33 cents worth.
>
> Daniel
>
>
>
> >If I und4rstand the ack-syn-rst.... build and tear-down of a connection
> >correctly, just dropping the packets leaves the other end waiting,
> >wondering why yer not acknowledging their request. This leaves them with
> >a half open connection in their connection tables. Sending and rst tells
> >them yer just not interested in talking to them on that port/protocal and
> >they close down their end of it. It's considered good net-etiquette to
> >rst the otherside when possible...
> >
> >Thanks,
> >
> >Ron DuFresne
> >
> >
> >On Mon, 13 Mar 2000, Yi Liu wrote:
> >
> >> Any disadvantages for using service reset inbound vs. standard behavior of
> >> silently dropping connections?
> >>
> >> YL
> >>
> >> > -----Original Message-----
> >> > From: Lisa Napier [mailto:[EMAIL PROTECTED]]
> >> > Sent: Monday, March 13, 2000 11:36 AM
> >> > To: Ron DuFresne; [EMAIL PROTECTED]
> >> > Cc: Pere Camps; [EMAIL PROTECTED]
> >> > Subject: Re: Port 113
> >> >
> >> >
> >> > Groan... Apologies to all. I can only say it was a
> >> > pre-coffee url copy.
> >> >
> >> > Here's the real one:
> >> >
> >> > http://www.cisco.com/warp/public/110/2.html
> >> >
> >> > Many thanks for pointing out my error.
> >> >
> >> > Lisa Napier
> >> > Product Security Incident Response Team
> >> > Cisco Systems
> >> > http://www.cisco.com/warp/public/707/sec_incident_response.shtml
> >> >
> >> > PGP: A671 782D 2926 B489 F81A 3D5E B72F E407 B72C AF1F
> >> > ID: 0xB72CAF1F, DH/DSS 2048/1024
> >> >
> >> > At 01:27 PM 03/13/2000 -0600, Ron DuFresne wrote:
> >> >
> >> > >Lisa,
> >> > >
> >> > >Yer URL, here, returns a "cannot connect to remote host" message.
> >> > >
> >> > >Thanks,
> >> > >
> >> > >Ron DuFresne
> >> > >
> >> > >
> >> > >On Mon, 13 Mar 2000, Lisa Napier wrote:
> >> > >
> >> > > > Hi all,
> >> > > >
> >> > > > http://cco/warp/customer/110/2.html
> >> > > >
> >> > > > This URL has the answers to the question.
> >> > > >
> >> > > > Thanks much,
> >> > > >
> >> > > > Lisa Napier
> >> > > > Product Security Incident Response Team
> >> > > > Cisco Systems
> >> > > > http://www.cisco.com/warp/public/707/sec_incident_response.shtml
> >> > > >
> >> > > > PGP: A671 782D 2926 B489 F81A 3D5E B72F E407 B72C AF1F
> >> > > > ID: 0xB72CAF1F, DH/DSS 2048/1024
> >> > > >
> >> > > > At 12:27 PM 03/11/2000 +0100, Pere Camps wrote:
> >> > > > >Hello,
> >> > > > >
> >> > > > > > request and tries again before giving up. There was
> >> > also mention
> >> > > of a way
> >> > > > > > to have the f/w do something other than silently drop
> >> > the packet to
> >> > > allow
> >> > > > > > the server to give up more quickly.
> >> > > > >
> >> > > > > Don't know how to set it up in pix, but what
> >> > you have to do is to
> >> > > > >REJECT the packets instead of DENYING them. DENY simply
> >> > drops them and
> >> > > > >REJECT drops them AND sends the client an ICMP
> >> > destination-unreachable
> >> > > > >packet.
> >> > > > >
> >> > > > > HTH.
> >> > > > >
> >> > > > >-- p.
> >> > > > >
> >> > > > >-
> >> > > > >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >> > > > >"unsubscribe firewalls" in the body of the message.]
> >> > > >
> >> > > > -
> >> > > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> >> > > > "unsubscribe firewalls" in the body of the message.]
> >> > > >
> >> > >
> >> > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >> > >"Cutting the space budget really restores my faith in humanity. It
> >> > >eliminates dreams, goals, and ideals and lets us get straight to the
> >> > >business of hate, debauchery, and self-annihilation." -- Johnny Hart
> >> > > ***testing, only testing, and damn good at it too!***
> >> > >
> >> > >OK, so you're a Ph.D. Just don't touch anything.
> >> >
> >> > -
> >> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> >> > "unsubscribe firewalls" in the body of the message.]
> >> >
> >>
> >
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >"Cutting the space budget really restores my faith in humanity. It
> >eliminates dreams, goals, and ideals and lets us get straight to the
> >business of hate, debauchery, and self-annihilation." -- Johnny Hart
> > ***testing, only testing, and damn good at it too!***
> >
> >OK, so you're a Ph.D. Just don't touch anything.
> >
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
