Security Basics mailing list archives
RE: Concepts: Security and Obscurity
From: "Craig Wright" <Craig.Wright () bdo com au>
Date: Fri, 13 Apr 2007 05:28:07 +1000
Daniel, I have to assume that you believe that drop actually hides hosts making scanning firewall rules infeasible? That drop rules act as if there is no host or something? This is a common misconception, but a misconception none the less. We investigated this at the ASX when I was working there. We had a VP from Checkpoint and several of their engineers from Israel over with the testing. We did the same thing with Sun's Firewall of the time - Sunscreen - in its so called stealth mode. First I have to state an assumption of a single firewall in the cases mentioned as I fail to see why adding SPA to a dual layered authenticated system would be adding anything at all other than trouble with users. In the case of a single firewall layer (as I must state is the norm in use) drop rules do not hide the existence of hosts. The firewall does not respond as a router. When a router is down the upstream routers respond differently. When scanning the responses are different. Next the timing of scans varies. In drop rules, services that are allowed but filtered do not respond as those that do not exist nor do they respond as those which are just blocked. Scanning a firewall with a drop or stealth will allow mapping of the rules. You can get something like: {Service allowed from unknown range} to {host address 1} {host address 2} does not exist Port 80 open on {host 3} {host address 4} does not exist {host address 5} exists but has no access {host address 6} exists but needs auth on port 80 {host address 6} exists but has no access Maybe I am over thinking this in assuming that there must be more people who can actually scan a firewall and map ports than there are in reality - but it is far from difficult unless the sole level of skill is how to run nmap. My point is not if the security level has been *diminish*ed but that there is a cost. Having clients use this is an added layer of complexity. This is a cost. Cost without an equivalent gain is a loss - which is my point - and thus not effective. If you are adding the same level of cost - there are REAL controls that may be implemented for a lower real cost. Thus in this manner the equal cost demonstrates a diminishment over what could be achieved for the additional spend. I only did portknocking yesterday as I was going to do SPA this morning to follow - but have done this response instead and will have to follow with SPA later. Regards, Craig Craig Wright Manager of Information Systems Direct +61 2 9286 5497 Craig.Wright () bdo com au BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO Box 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. ________________________________ From: Daniel Miessler [mailto:daniel () dmiessler com] Sent: Fri 13/04/2007 4:38 AM To: Craig Wright Cc: krymson () gmail com; security-basics () securityfocus com Subject: Re: Concepts: Security and Obscurity On Apr 12, 2007, at 2:34 AM, Craig Wright wrote:
Port knocking has the issue that it is not completely silent as is presumed. Most routers are not set to stop sending ICMP, TCP etc responses to other routers. In fact to do so is a violation of the internet standards. As such, information on ports is often available from the network infrastructure. Drop on firewalls does not stop an attacker finding what ports are running - it just means that they have to be a little more creative.
More creative? Ok, let's try it this way: 1. You send me a SYN to a given port 2. I send you an RST/ACK for that port (or I don't answer at all) Either way, what now? So what if you can ping the firewall? We're talking about ACLs here. An ACL saying traffic gets dropped or rejected to port X. So unless you have some revolutionary way to simply bypass firewall ACLs, you're basking in the darkness of futility here, my friend.
Systems that ONLY drop packets stand out. They are not "stealthy" but rather the hole they make makes them extrememly visible.
Huh ?!? Kind of like the hole caused by systems that aren't online? LOL. So I guess all those systems that don't exist are being put on a master hacker list somewhere to be investigated later? Dude, you're frightening me.
In port knocking the control is not highly effective, to take a quote: In 'Critique of Port Knocking', Arvind Narayana states: "Suppose you decide on a list of 32 valid ports (the current implementation allows up to 256). How long does the port knock sequence need to be? You might think that since each port is a 16-bit integer, you need 8 knocks, so that you get 8*16 bits or 128 bits of security (virtually unbreakable). But since each port has only 32 possible values (5 bits), what you actually get is only 8*5=40 bits of security (trivially breakable)!"
Portknocking isn't the point; I mentioned SPA as another alternative, as the technology doesn't mater much. The point is that adding obscurity ON TOP of solid security doesn't *diminish* said security. That's all. Simple point. Nothing fancy. Basic stuff. (or at least I thought so)
Applied Cryptography by Bruce Schneier: "If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that's not security. Thats obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the worlds best safecrackers can study the locking mechanism - and you still can't open the safe and read the letter - thats security."
Interesting, well what if you let people crack on our "safe" all day long (e.g. your SSH or VPN software) through OTHER PEOPLE'S SYSTEMS, but you tuck YOURS behind a firewall that only your users can get through? So in other words, you get the benefit of scrutiny by using well- tested systems, but you don't have the downside of wide-open exposure. Surely with all your education and credentials you can see that this is a positive thing. If I'm wrong here please show me how... -- Daniel Miessler E: daniel () dmiessler com W: http://dmiessler.com G: 0xDA6D50EAC
Current thread:
- Re: Re: Concepts: Security and Obscurity, (continued)
- Re: Re: Concepts: Security and Obscurity Lord Bane (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- Re: Re: Re: Concepts: Security and Obscurity danogh (Apr 11)
- Re: Re: Re: Re: Concepts: Security and Obscurity levinson_k (Apr 12)
- Re: RE: Concepts: Security and Obscurity levinson_k (Apr 12)
- Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 12)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 12)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 12)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 12)
- Re: Concepts: Security and Obscurity Ansgar -59cobalt- Wiechers (Apr 12)
- Message not available
- Message not available
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 17)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 12)
- Re: Concepts: Security and Obscurity Jeffrey F. Bloss (Apr 13)
- Re: Concepts: Security and Obscurity Jeffrey F. Bloss (Apr 13)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 15)
- Re: Concepts: Security and Obscurity Craig Wright (Apr 13)
- Message not available
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)