Comment too much memory (Score 1) 1907
I recently helped upgrade a customer's Watchguard Firebox II to a Firebox III (their choice, not mine). Both have switches on them which allow you to block (IIRC) "Address-space probes" and "Port-space probes", which after some testing I figured out meant portscans. The II model used to block me when I'd scan one machine with default nmap settings, after it got through about 1/4 of the scan. The new one would let me scan 4 or so boxes, all possible ports (ie, -p 1-), before it blocked me. Running a default scan I could get a dozen.
So I called to complain that this fancy new box actually took longer to detect a portscan. After getting the runaround for a while about how the III was "newer" and had "more features" and it "wasn't fair to compare this one feature" I finally got a straight answer. The reply was (paraphrasing a bit) ;-)
So I called to complain that this fancy new box actually took longer to detect a portscan. After getting the runaround for a while about how the III was "newer" and had "more features" and it "wasn't fair to compare this one feature" I finally got a straight answer. The reply was (paraphrasing a bit)
First time I've ever been told I had too much hardware. I was tempted to tell him to send someone out to install less memory."The problem is the Firebox III has more memory, so it can see more connections. This is why it takes longer to see a portscan"
