Security Basics mailing list archives
Re: Concepts: Security and Obscurity
From: Daniel Miessler <daniel () dmiessler com>
Date: Tue, 17 Apr 2007 10:57:17 -0400
On Apr 12, 2007, at 4:41 PM, lordl3ane () gmail com wrote:
Adding a firewall would be like taking the safe and sticking it in a bank vault. That’s not the same as obfuscation. The point Craig was making was that even if the firewall existed, let’s assume that the ACL is configured to allow all traffic to pass to the system behind, on all the services it provides. Alternatively, we can look at the firewall itself as the safe.
Hmm, let me try and restate this: the firewall is a brick to ALL USERS except those with specialized software. The firewall is closed. No ports open. No scan returns an open port for the service in question. It's a non-issue for attackers. Unimportant. Nothing to see here. Etc.
This is obfuscation because service scans are LOOKING for said port in order to exploit it. So if it's open for your users, but it's not for everyone else -- it's obfuscated. It just so happens that "hiding" and restricting access are the same function on a firewall.
Cheers, -- Daniel Miessler E: daniel () dmiessler com W: http://dmiessler.com G: 0xDA6D50EAC
Attachment:
PGP.sig
Description: This is a digitally signed message part
Current thread:
- RE: Concepts: Security and Obscurity, (continued)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Re: Concepts: Security and Obscurity Lord Bane (Apr 11)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 11)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 11)
- Re: Re: Re: Concepts: Security and Obscurity danogh (Apr 11)
- Re: Re: Re: Re: Concepts: Security and Obscurity levinson_k (Apr 12)
- Re: RE: Concepts: Security and Obscurity levinson_k (Apr 12)
- Re: Re: Concepts: Security and Obscurity lordl3ane (Apr 12)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 12)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 12)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 12)
- Re: Concepts: Security and Obscurity Ansgar -59cobalt- Wiechers (Apr 12)
- Message not available
- Message not available
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 17)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 12)
- Re: Concepts: Security and Obscurity Jeffrey F. Bloss (Apr 13)
- Re: Concepts: Security and Obscurity Jeffrey F. Bloss (Apr 13)