Drop or rst?

[bhoff at itworldclass.com (Brett Hoff)]

I also like to drop silently.
 
I have built and monitor over 100 firewalls and almost always choose this
option.
 

Brett Hoff

RHCT, Linux +, Security+

Senior Security and Linux instructor

Senior IT Security Engineer

GCFA "Certified Forensics Analyst"

Antler Computer Consulting



Antler, Inc.

We do IT World Class! 

 

850-857-7707

itworldclass.com

 

  _____  

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Norman Rach
Sent: Wednesday, October 07, 2009 11:39 AM
To: pauldotcom at mail.pauldotcom.com
Subject: [Pauldotcom] Drop or rst?


Hi Everyone,
 
I'm currently in a discussion about our current ruleset for iptables.
Whether to be RFC compliant and issue a RST to those scanning/connecting to
undesired ports or to drop the packet completely.  By sending a rst back to
the host aren't we letting the srcIP know that the traffic successfully
arrived to the host without being intercepted by a network appliance (i.e.
IDS/IPS, firewall, etc)?
 
As far as I can tell this seems to be more of a discussion on one's own
security posture preference.  Any feedback is appreciated.
 
Cheers!
NR


  _____  

Hotmail: Powerful Free email with security by Microsoft. Get it
<http://clk.atdmt.com/GBL/go/171222986/direct/01/> now.

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4487 (20091007) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091007/ffe65aa7/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/bmp
Size: 42666 bytes
Desc: not available
Url : http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091007/ffe65aa7/attachment.bin