RE: Cisco PIX firwalls..

[Erek Adams <erek () theadamsfamily net>]

On Mon, 15 Apr 2002, Joe Smith wrote:

> I'm not sure about this, but I think I'd disagree with
> you.

[...snip...]

> In short, as long as flexresp were left in its default
> configuration of rst-snd (i.e., only send resets to
> the source IP), I'm thinking it wouldn't cause
> significant issues in an attempted TCP DoS.

You're right.  It would be 'rather difficult' to generate all the needed
packets to form a TCP DOS.  But the original question wasn't really on
flexresp, it was on "auto update blocking rules on firewalls and or routers."

My issues with the whole 'automated' idea are based on two things:

        Personal pain
        Corporate Politics

Trust me when I say that one poorly written rule in an IDS that triggers an
'autoblock' on a firewall and/or router can ruin your whole day/night/week.
:-/  IMHO, you should have an IDS do what an IDS is supposed to do--Detect and
Alert.  It's up to you to examine the alert and make the determination _if_
this was valid traffic or if it is _not_ valid traffic.

But again....  This line of conversation is borderline 'Holy War Material',
and I don't want to start one up--I sure don't want the penalty drinks! ;-)

> Just a thought...

And an excellent one!  :)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users