Re: Re: Concepts: Security and Obscurity

[lordl3ane () gmail com]

Daniel,

I like the way you think.  I agree with almost every point that’s being made here in your argument except your last 
statement.

> > Interesting, well what if you let people crack on our "safe" all day 
> > long (e.g. your SSH or VPN software) through OTHER PEOPLE'S SYSTEMS, 
> > but you tuck YOURS behind a firewall that only your users can get 
> > through?
> >
> > So in other words, you get the benefit of scrutiny by using well- 
> > tested systems, but you don't have the downside of wide-open 
> > exposure. Surely with all your education and credentials you can see 
> > that this is a positive thing.

Again we’re on a road where we’re comparing different controls to Obscurity.  A firewall is not an obfuscation control 
mechanism.  At worst it’s an authorization system (what may or may not get through to the juicy bits behind), and at 
best, it’s a rough authentication system (what may or may not get through to the juicy bits behind, only from the IP 
addresses or from credentials [user names/passwords, certificates, etc]).

I think the point that Craig is trying to make, isn’t that the safe gets tucked behind a firewall.  It’s more like the 
safe just simply doesn’t have a DNS locator record.  For example, an SMTP server without an MX record is simply a 
service hanging quietly out on the Internet with nothing advertising that it’s there.

Adding a firewall would be like taking the safe and sticking it in a bank vault.  That’s not the same as obfuscation.  
The point Craig was making was that even if the firewall existed, let’s assume that the ACL is configured to allow all 
traffic to pass to the system behind, on all the services it provides.  Alternatively, we can look at the firewall 
itself as the safe.

Eric