http://danielrm26.disqus.com/dmiessler.com/about/enSun, 18 May 2008 15:59:22 -0000http://dmiessler.com/blog/ttl-caging-how-to-fight-malware-using-reduced-ttl-values#comment-4358547<p>Guys,</p><br><p>I agree that this would just be another layer if one was already doing the blocking at the firewall. That's a valid point. I just think it's an interesting and elegant way of approaching the problem.</p>danielrm26Sun, 18 May 2008 15:59:22 -0000http://dmiessler.com/blog/ttl-caging-how-to-fight-malware-using-reduced-ttl-values#comment-4358549<p>Would not a good egress rule be far more beneficial? I love the way he was thinking, but this would be very hard to maintain. Plus I do not even believe possible in environments that include WAN links such as MPLS or others. One argument that you could use would be that your work place will not let you use good egress rules. If that is they case it seems far fetched that they would let you do this as it would make trouble shooting more difficult.</p>Kenneth R Swain IISat, 17 May 2008 23:43:05 -0000http://dmiessler.com/blog/ttl-caging-how-to-fight-malware-using-reduced-ttl-values#comment-4358548<p>And the benefit of using this instead of a firewall is what? That anyone who wants to <em>can</em> circumvent it? That doesn't seem like a very useful idea to me...Especially since you're still relying on being able to identify bad traffic going through the proxy.</p><br><p>P.S. IDS' suck.</p>kuza55Sat, 17 May 2008 21:25:58 -0000