Firewall Wizards mailing list archives
Firewall intelligence in hiding from scans?
From: Curt Wilson <netw3 () netw3 com>
Date: Thu, 08 Mar 2001 02:05:55 -0600
I work with a Cisco PIX and I've noticed that when someone performs a sequential scan on our external address block, any internal system with a static NAT address that does not have a translation at that moment will build a translation in response to the request to the outside IP. For instance, if the default TCP translation timeout value of three hours is in place, and no one has sent mail to the SMTP server in the last three hours, the translation will be temporarily torn down, only to be rebuilt when a scan comes in. The PIX seems to look at the incoming connection request on a less granular level before checking port and IP address restrictions. Is there a way with PIX to modify the firewall to not build a translation when a sequential scan is taking place, or when the incoming IP range or destination ports do not match some access control lists? Do other firewalls offer this type of functionality or would this break things? Thanks for any info. Curt Wilson =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | Curt R. Wilson * Netw3 Consulting * www.netw3.com | | Internet Security, Networking, PC tech, WWW hosting | | Netw3 Security Reading Room : www.netw3.com/documents.html | | Serving Southern Illinois locally and the world virtually | | netw3 () netw3 com 618-303-NET3 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall intelligence in hiding from scans? Curt Wilson (Mar 09)