Re: Concepts: Security and Obscurity

[Daniel Miessler <daniel () dmiessler com>]

On Apr 12, 2007, at 4:41 PM, lordl3ane () gmail com wrote:

> Adding a firewall would be like taking the safe and sticking it in  
> a bank vault.  That’s not the same as obfuscation.  The point Craig  
> was making was that even if the firewall existed, let’s assume that  
> the ACL is configured to allow all traffic to pass to the system  
> behind, on all the services it provides.  Alternatively, we can  
> look at the firewall itself as the safe.

Hmm, let me try and restate this: the firewall is a brick to ALL  
USERS except those with specialized software. The firewall is closed.  
No ports open. No scan returns an open port for the service in  
question. It's a non-issue for attackers. Unimportant. Nothing to see  
here. Etc.

This is obfuscation because service scans are LOOKING for said port  
in order to exploit it. So if it's open for your users, but it's not  
for everyone else -- it's obfuscated. It just so happens that  
"hiding" and restricting access are the same function on a firewall.

Cheers,

--
Daniel Miessler
E: daniel () dmiessler com
W: http://dmiessler.com
G: 0xDA6D50EAC

Attachment: PGP.sig
Description: This is a digitally signed message part