RE: Concepts: Security and Obscurity

["Craig Wright" <Craig.Wright () bdo com au>]

Daniel,

I have to assume that you believe that drop actually hides hosts making scanning firewall rules infeasible? That drop 
rules act as if there is no host or something? This is a common misconception, but a misconception none the less. We 
investigated this at the ASX when I was working there. We had a VP from Checkpoint and several of their engineers from 
Israel over with the testing. We did the same thing with Sun's Firewall of the time - Sunscreen - in its so called 
stealth mode.

 

First I have to state an assumption of a single firewall in the cases mentioned as I fail to see why adding SPA to a 
dual layered authenticated system would be adding anything at all other than trouble with users.

 

In the case of a single firewall layer (as I must state is the norm in use) drop rules do not hide the existence of 
hosts. The firewall does not respond as a router. When a router is down the upstream routers respond differently. When 
scanning the responses are different.

 

Next the timing of scans varies. In drop rules, services that are allowed but filtered do not respond as those that do 
not exist nor do they respond as those which are just blocked. Scanning a firewall with a drop or stealth will allow 
mapping of the rules. You can get something like:

 

{Service allowed from unknown range} to {host address 1}

{host address 2} does not exist

Port 80 open on {host 3} 

{host address 4} does not exist

{host address 5} exists but has no access

{host address 6} exists but needs auth on port 80

{host address 6} exists but has no access

 

Maybe I am over thinking this in assuming that there must be more people who can actually scan a firewall and map ports 
than there are in reality - but it is far from difficult unless the sole level of skill is how to run nmap.

 

My point is not if the security  level has been *diminish*ed but that there is a cost. Having clients use this is an 
added layer of complexity. This is a cost. Cost without an equivalent gain is a loss - which is my point - and thus not 
effective. If you are adding the same level of cost - there are REAL controls that may be implemented for a lower real 
cost. Thus in this manner the equal cost demonstrates a diminishment over what could be achieved for the additional 
spend.

 

I only did portknocking yesterday as I was going to do SPA this morning to follow - but have done this response instead 
and will have to follow with SPA later.

 

Regards,

Craig

 




Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

________________________________


From: Daniel Miessler [mailto:daniel () dmiessler com]
Sent: Fri 13/04/2007 4:38 AM
To: Craig Wright
Cc: krymson () gmail com; security-basics () securityfocus com
Subject: Re: Concepts: Security and Obscurity




On Apr 12, 2007, at 2:34 AM, Craig Wright wrote:

> Port knocking has the issue that it is not completely silent as is
> presumed. Most routers are not set to stop sending ICMP, TCP etc
> responses to other routers. In fact to do so is a violation of the
> internet standards. As such, information on ports is often available
> from the network infrastructure. Drop on firewalls does not stop an
> attacker finding what ports are running - it just means that they have
> to be a little more creative.

More creative? Ok, let's try it this way:

1. You send me a SYN to a given port
2.  I send you an RST/ACK for that port (or I don't answer at all)

Either way, what now? So what if you can ping the firewall? We're 
talking about ACLs here. An ACL saying traffic gets dropped or 
rejected to port X. So unless you have some revolutionary way to 
simply bypass firewall ACLs, you're basking in the darkness of 
futility here, my friend.

> Systems that ONLY drop packets stand out. They are not "stealthy" but
> rather the hole they make makes them extrememly visible.

Huh ?!?

Kind of like the hole caused by systems that aren't online? LOL. So I 
guess all those systems that don't exist are being put on a master 
hacker list somewhere to be investigated later? Dude, you're 
frightening me.

> In port knocking the control is not highly effective, to take a quote:
>
> In 'Critique of Port Knocking', Arvind Narayana states:
> "Suppose you decide on a list of 32 valid ports (the current
> implementation
> allows up to 256). How long does the port knock sequence
> need to be? You might think that since each port is a 16-bit integer,
> you need 8 knocks, so that you get 8*16 bits or 128 bits of security
> (virtually unbreakable). But since each port has only 32 possible
> values (5 bits), what you actually get is only 8*5=40 bits of security
> (trivially breakable)!"

Portknocking isn't the point; I mentioned SPA as another alternative, 
as the technology doesn't mater much. The point is that adding 
obscurity ON TOP of solid security doesn't *diminish* said security. 
That's all. Simple point. Nothing fancy. Basic stuff.

(or at least I thought so)

> Applied Cryptography by Bruce Schneier:
> "If I take a letter, lock it in a safe, hide the safe somewhere in New
> York, then tell you to read the letter, that's not security. Thats
> obscurity. On the other hand, if I take a letter and lock it in a
> safe, and then give you the safe along with the design specifications
> of the safe and a hundred identical safes with their combinations
> so that you and the worlds best safecrackers can study the locking
> mechanism - and you still can't open the safe and read the letter -
> thats security."

Interesting, well what if you let people crack on our "safe" all day 
long (e.g. your SSH or VPN software) through OTHER PEOPLE'S SYSTEMS, 
but you tuck YOURS behind a firewall that only your users can get 
through?

So in other words, you get the benefit of scrutiny by using well-
tested systems, but you don't have the downside of wide-open 
exposure. Surely with all your education and credentials you can see 
that this is a positive thing.

If I'm wrong here please show me how...

--
Daniel Miessler
E: daniel () dmiessler com
W: http://dmiessler.com
G: 0xDA6D50EAC