Firewall intelligence in hiding from scans?

[Curt Wilson <netw3 () netw3 com>]

I work with a Cisco PIX and I've noticed that when
someone performs a sequential scan on our external
address block, any internal system with a static
NAT address that does not have a translation at that
moment will build a translation in response to the
request to the outside IP. For instance, if the
default TCP translation timeout value of three hours is
in place, and no one has sent mail to the SMTP server
in the last three hours, the translation will be
temporarily torn down, only to be rebuilt when a scan
comes in. The PIX seems to look at the incoming connection
request on a less granular level before checking port
and IP address restrictions. 

Is there a way with PIX to modify the firewall to not
build a translation when a sequential scan is taking place,
or when the incoming IP range or destination ports do not
match some access control lists? Do other firewalls offer
this type of functionality or would this break things?

Thanks for any info.
Curt Wilson




=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
| Curt R. Wilson   *   Netw3 Consulting  *   www.netw3.com    |
|    Internet Security, Networking, PC tech,  WWW hosting     |
| Netw3 Security Reading Room : www.netw3.com/documents.html  |
|  Serving Southern Illinois locally and the world virtually  |  
|            netw3 () netw3 com     618-303-NET3                 |
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards