Security Basics mailing list archives
Re: Re: Concepts: Security and Obscurity
From: lordl3ane () gmail com
Date: 12 Apr 2007 20:41:12 -0000
Daniel, I like the way you think. I agree with almost every point thats being made here in your argument except your last statement.
Interesting, well what if you let people crack on our "safe" all day long (e.g. your SSH or VPN software) through OTHER PEOPLE'S SYSTEMS, but you tuck YOURS behind a firewall that only your users can get through? So in other words, you get the benefit of scrutiny by using well- tested systems, but you don't have the downside of wide-open exposure. Surely with all your education and credentials you can see that this is a positive thing.
Again were on a road where were comparing different controls to Obscurity. A firewall is not an obfuscation control mechanism. At worst its an authorization system (what may or may not get through to the juicy bits behind), and at best, its a rough authentication system (what may or may not get through to the juicy bits behind, only from the IP addresses or from credentials [user names/passwords, certificates, etc]). I think the point that Craig is trying to make, isnt that the safe gets tucked behind a firewall. Its more like the safe just simply doesnt have a DNS locator record. For example, an SMTP server without an MX record is simply a service hanging quietly out on the Internet with nothing advertising that its there. Adding a firewall would be like taking the safe and sticking it in a bank vault. Thats not the same as obfuscation. The point Craig was making was that even if the firewall existed, lets assume that the ACL is configured to allow all traffic to pass to the system behind, on all the services it provides. Alternatively, we can look at the firewall itself as the safe. Eric
Current thread:
- RE: Concepts: Security and Obscurity, (continued)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Re: Concepts: Security and Obscurity Lord Bane (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- Re: Re: Re: Concepts: Security and Obscurity danogh (Apr 11)
- Re: Re: Re: Re: Concepts: Security and Obscurity levinson_k (Apr 12)
- Re: RE: Concepts: Security and Obscurity levinson_k (Apr 12)
- Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 12)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 12)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 12)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 12)
- Re: Concepts: Security and Obscurity Ansgar -59cobalt- Wiechers (Apr 12)
- Message not available
- Message not available
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 17)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 12)
- Re: Concepts: Security and Obscurity Jeffrey F. Bloss (Apr 13)