Penetration Testing mailing list archives
FW: DROP or REJECT that is the question...
From: <Bryan_McAninch () McAfee com>
Date: Thu, 5 Apr 2007 10:19:59 -0500
This has been debated time and time again, so I'll try to keep my response concise. It all boils down to how you want your firewall to appear to an attacker. Rejects allow you to make a firewall appear as a non-firewalled "normal" host, so long as you use the proper rejects; IMHO, this is an easily implemented and effective disinformation tactic. For example, a non-firewalled host (with no active ports) should respond to UDP connections with ICMP port unreachables and TCP connections with TCP resets. Conversely, if you simply drop the packet, it becomes obvious that something between the attacker and the target, even the target itself, is dropping packets. If a host or network is unreachable, which seems to be the intended goal of dropping packets, the target's previous-hop router would return an ICMP host unreachable or ICMP network unreachable error, respectively (something you cannot control). Just my $.02 Cheers, Bryan ----- Original Message ----- From: "Mohamed Abdel Kader" <mak.pen () gmail com> To: <pen-test () securityfocus com> Sent: Tuesday, April 03, 2007 1:07 AM Subject: DROP or REJECT that is the question...
All, I wanted to gather your opinions on whether firewall rules should be Dropped Or Rejected. To me I believe that both give away the firewall rules. What does everyone out there think?
------------------------------------------------------------------------
This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- DROP or REJECT that is the question... Mohamed Abdel Kader (Apr 04)
- Re: DROP or REJECT that is the question... Paul Melson (Apr 04)
- Re: DROP or REJECT that is the question... Tim (Apr 06)
- Re: DROP or REJECT that is the question... Tim (Apr 08)
- Re: DROP or REJECT that is the question... Tim (Apr 06)
- Re: DROP or REJECT that is the question... Isaac Perez (Apr 06)
- Re: DROP or REJECT that is the question... Jamie Riden (Apr 06)
- <Possible follow-ups>
- Re: DROP or REJECT that is the question... Thor (Hammer of God) (Apr 04)
- Re: DROP or REJECT that is the question... Chris Brenton (Apr 08)
- FW: DROP or REJECT that is the question... Bryan_McAninch (Apr 06)
- Re: DROP or REJECT that is the question... Paul Melson (Apr 04)