Date: Sat, 7 Apr 2001 16:16:55 -0700 From: "John Howie" <JHowie@msn.com> To: "Jacques A. Vidrine" <n@nectar.com> Cc: "Crist Clark" <crist.clark@globalstar.com>, <lee@kechara.net>, <freebsd-security@FreeBSD.ORG> Subject: Re: Theory Question Message-ID: <05b901c0bfb8$d79a1160$0101a8c0@development.local> References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <058701c0bfad$265e8530$0101a8c0@development.local> <20010407173910.B69155@spawn.nectar.com> <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local> <20010407180040.B87468@hamlet.nectar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jacques, You are missing my points (or perhaps I typed too fast to make them clearly). Crist supplied the ifconfig scenario, I just followed up on it, and I thought we were still talking about script kiddies. That said, security can still be strengthened through obscurity but as you quite correctly point out it cannot solely be relied upon. If I force would-be intruders to have to defeat/circumvent individual measures such as firewalls/NAT boxes just to determine my topologies before they can even make an attempt at an attack on servers, then most will give up and go away. With the correct supporting measures in place, obscuring network topology is a valid step to take. john... ----- Original Message ----- From: "Jacques A. Vidrine" <n@nectar.com> To: "John Howie" <JHowie@msn.com> Cc: "Crist Clark" <crist.clark@globalstar.com>; <lee@kechara.net>; <freebsd-security@FreeBSD.ORG> Sent: Saturday, April 07, 2001 4:00 PM Subject: Re: Theory Question > On Sat, Apr 07, 2001 at 03:48:53PM -0700, John Howie wrote: > > Agreed! And the hacker would also need to have intimate knowledge of your > > network configuration to be able to supply the correct parameters to > > ifconfig in the scenario that Crist outlined. > > Well, no. Arbitrary code is just that: arbitrary. Arbitrary code can > determine a working configuration for any network interface. And in > many cases it will not even be necessary to `ifconfig' the interface > to use it. > > > One item that was missing from > > the original design was an exterior DMZ firewall (or perhaps I just missed > > that component) running NAT. Key to securing the infrastructure is making it > > as difficult as possible for a hacker to determine DMZ and production > > network topologies and machine addresses. > > If the `key' to your security is obscurity of your internal network > configuration, expect to be comprimised. This information is not hard > to obtain by a determined attacker, and technology is probably not > even an issue. > > Cheers, > -- > Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?05b901c0bfb8$d79a1160$0101a8c0>