Security Basics mailing list archives
Re: Roger's last comment on changing Port defaults
From: yonesy <yonesy () gmail com>
Date: Thu, 20 Jan 2005 23:31:39 -0500
Nice write-up. It makes sense, analogous to the medieval way of protecting precious treasures inside castles. The problem that I encounter often-times with clients is that they would like to conduct business on standard ports (sometimes not knowing how to configure an application to do otherwise). I fall in your 75%, so you can also call me a 75-percenter; Good luck with your doors!!! On Wed, 19 Jan 2005 16:25:33 -0500, Roger A. Grimes <roger () banneretcs com> wrote:
Offline, the mail to me has been 75% in support (including many enterprise security officers telling me they have been using the idea for years), 25% think I'm an idiot. I'm not sure which way I'm leaning. A lot of the emails have been telling me that my approach of using non-default ports alone is crazy. I never said it was the only approach. I said it was an approach that did increase security. I hoped through my exercise to prove it, and I did. I've had three correct guesses now, out of almost 150,000 scans (which by itself is interesting since there are 65K TCP ports). Here's my parting words on the subject, everything else from me (thankfully, I'm sure) will be off list: Imagine a house who's outside walls were nothing but doors-after-doors, wall-to-wall, corner to corner. Most fake, and only one real one. On a normal house, thief tries front or back door (or breaks window) to enter house (or uses some other vector). He still has to try a key, pick it, or bust down the correct door when he finds it. My plan makes it more difficult to break in...by an additional factor of whatever number of doors I have. I still have to lock my real door. It still has to be hardened. But there is a greater than normal chance that I (and my neighborhood) will notice the thief trying all doors and some other additional security mechanism kicking in. Now, many people might not like the look of my house(25% of my mail), but it doesn't change the fact that it is slightly more secure for that particular vector of attack. And if I've got an intruder (i.e. worm) that ONLY tries the center front door every time (like 99.99% of attacks), and my real door is located anywhere else, intruder is not getting in. Now excuse me while I go move some doors around. Roger ************************************************************************ *** *Roger A. Grimes, Banneret Computer Security, Computer Security Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI *email: roger () banneretcs com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of Honeypots for Windows (Apress) *http://www.apress.com/book/bookDisplay.html?bID=281 ************************************************************************ ****
-- Yonesy F. Nuñez, ISSAP, ISSMP, CISSP, MCSE, Security+ Failed to plan?... Then plan to fail!!!
Current thread:
- Roger's last comment on changing Port defaults Roger A. Grimes (Jan 20)
- Re: Roger's last comment on changing Port defaults cc (Jan 24)
- RE: Roger's last comment on changing Port defaults David Gillett (Jan 24)
- Re: Roger's last comment on changing Port defaults yonesy (Jan 24)
- Re: Roger's last comment on changing Port defaults cc (Jan 24)