On Wed, Jul 30, 2003 at 09:58:42AM -0400, Chris Shepherd wrote: > You specifically say you have to trust your firewall, and then try and conceal > its presence. The point in question is whether or not making it look like a > real machine will delay an attacker more than simply dropping all traffic. IMHO > the latter is the better overall solution, since once your firewall has been > discovered, it will slow and frustrate attempts on your network. Lemme do same diet-quoting here. You are right, of course. The thing I'm attempting is to make them hit my traps faster, so I can react faster. And, as I said, I don't think we should use the same method everywhere. Sametime I use DROP, sometimes I use tcp-reset and sometimes, icmp-replies. As far as I got from this discussion, every method is about as good as the other. All have advantages and problems. The real question is how to balance them all to have the most benefits of each one of them. Care to comment on this one ? []s -- Rodrigo Barbosa <rodrigobat_private> "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
This archive was generated by hypermail 2b30 : Thu Jul 31 2003 - 07:43:06 PDT