Skip to main content
A
Anonymous_User
Contributor
August 19, 2008
Question

What is the different between " Block" and " Reset"

  • August 19, 2008
  • 3 replies
  • 9745 views
Dear all, I am now setting up the firewall 200A for controlling our staff to use instant messaging during work hours. I have created a new IPS sensor, specifying protocol to IM, application to IM, Enable all for " Enable" and " Logging" . But when come to " Action" , I am not sure whether I should set it to " Block all" or " Reset all" . What are the different between this two? Thanks a lot!

    3 replies

    lmuir
    lmuir
    New Member
    August 28, 2008
    Reset: Sends TCP Reset in both directions and removes the session from the session table. Reset Client: Sends TCP Reset to the client and removes the session from the session table. Pass Session: Allows the packet that triggered the signature and performs no further IPS checking for the session Drop Session: Drops the packet which triggered the signature and all subsequent packets for that session. Clear Session: Drops the packet which triggered the signature and removes the session from the session table. Drop: Drops the packet which triggered the signature. Not sutiable for TCP as the dropped packet will be detected and the packet will be resent. Cheers, Lachlan.
    A
    Anonymous_UserAuthor
    Contributor
    September 2, 2008
    Its hard to figure out what action to use with what rule. I thought that with ' drop session' I would be safe in most cases? Or is ' clear session' better? Or are there rules where these would have no effect?
    aplato
    aplato
    New Member
    September 5, 2008
    Its hard to figure out what action to use with what rule. I thought that with ' drop session' I would be safe in most cases? Or is ' clear session' better? Or are there rules where these would have no effect?
    In general, if you are in-line, you want to avoid using any of the ones that sends a reset (RST) packet. That can be detected at the origin and it can potentially DoS your own connection. (If I know you send RSTs, I can flood you with bad traffic and the RST packets will clog your pipe). RST is the only way you can block if you are doing passive monitoring, (not in-line) and even that isn' t 100% effective and can DoS your own network. It is best to drop the packet or session. This causes the offending packet(s) to simply disappear, which is preferable as it can not be detected (easily) at the origin. Dropping the packet or session also can slow down automated scanners and worms.
    A
    Anonymous_UserAuthor
    Contributor
    September 6, 2008
    Thank you, that helps a lot.
    Terms & ConditionsAccessibility statement