Re: Roger's last comment on changing Port defaults

[yonesy <yonesy () gmail com>]

Nice write-up.  It makes sense, analogous to the medieval way of
protecting precious treasures inside castles.  The problem that I
encounter often-times with clients is that they would like to conduct
business on standard ports (sometimes not knowing how to configure an
application to do otherwise).  I fall in your 75%, so you can also
call me a 75-percenter; Good luck with your doors!!!


On Wed, 19 Jan 2005 16:25:33 -0500, Roger A. Grimes
<roger () banneretcs com> wrote:
> Offline, the mail to me has been 75% in support (including many
> enterprise security officers telling me they have been using the idea
> for years), 25% think I'm an idiot.  I'm not sure which way I'm leaning.
>
> A lot of the emails have been telling me that my approach of using
> non-default ports alone is crazy. I never said it was the only approach.
> I said it was an approach that did increase security.  I hoped through
> my exercise to prove it, and I did.  I've had three correct guesses now,
> out of almost 150,000 scans (which by itself is interesting since there
> are 65K TCP ports).  Here's my parting words on the subject, everything
> else from me (thankfully, I'm sure) will be off list:
>
> Imagine a house who's outside walls were nothing but doors-after-doors,
> wall-to-wall, corner to corner.  Most fake, and only one real one. On a
> normal house, thief tries front or back door (or breaks window) to enter
> house (or uses some other vector).  He still has to try a key, pick it,
> or bust down the correct door when he finds it.  My plan makes it more
> difficult to break in...by an additional factor of whatever number of
> doors I have.  I still have to lock my real door.  It still has to be
> hardened.  But there is a greater than normal chance that I (and my
> neighborhood) will notice the thief trying all doors and some other
> additional security mechanism kicking in.  Now, many people might not
> like the look of my house(25% of my mail), but it doesn't change the
> fact that it is slightly more secure for that particular vector of
> attack.  And if I've got an intruder (i.e. worm) that ONLY tries the
> center front door every time (like 99.99% of attacks), and my real door
> is located anywhere else, intruder is not getting in.
>
> Now excuse me while I go move some doors around.
>
> Roger
>
> ************************************************************************
> ***
> *Roger A. Grimes, Banneret Computer Security, Computer Security
> Consultant
> *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
> *email: roger () banneretcs com
> *cell: 757-615-3355
> *Author of Malicious Mobile Code:  Virus Protection for Windows by
> O'Reilly
> *http://www.oreilly.com/catalog/malmobcode
> *Author of Honeypots for Windows (Apress)
> *http://www.apress.com/book/bookDisplay.html?bID=281
> ************************************************************************
> ****


-- 
Yonesy F. Nuñez, ISSAP, ISSMP, CISSP, MCSE, Security+
Failed to plan?...  Then plan to fail!!!