Re: OS Detection Question

[Brian Kifiak <bk () localhost ca>]

> However, I'd like to see those get used as one of the last things done
> to secure a machine, not the first.

I don't think anyone was suggesting that OS masking was anything near
a complete security solution.  I still don't think you're quite
convinced how handy this can be.  Consider the following:

It's *extremely* hard, if not impossible, to *gaurantee* that your
services(1) are secure.  It's likely that someone, somewhere, sometime, 
will have working code to exploit *something* your machine is doing.  

They now start looking for machines to hack.  Their exploit is specific 
to a certain arch/OS/daemon/whathaveyou.  They start scanning looking
for that specific quality which they can exploit.  If your system
doesn't easily present the information required to get a match against
that quality, their scanner is likely to skip your machine and go onto 
the next (maybe the honeypot I setup on that subnet ...).  

Advertising your details is like hanging a dated list of parts used to 
construct your house on the front door.  Somebody's likely to have a
lockpick to beat that 32-notch triply reinforced stainless platinum
lock you just got (or maybe just a really big diamond drill ...).

Yes, the fact remains you're still vulnerable.  I don't know about
you, but I think someone would notice me hanging outside their front
door peering into their lock with a stash of tools sitting beside me.
I'd probably just move onto the house I knew I could get into when I
drove through your neighbourhood.  Wouldn't you?

I'd list this as one of the things I'd consider doing by default.

(1): Most servers run a fair number of relatively complex services.
A server isn't much use if it doesn't run anything. (Typical example:
smtp, ftp, ssh, http, and pop running on one machine.)  Or, using the
door analogy: your house probably has windows and doors and hinges and
...

-bk