Firewall Wizards mailing list archives

Re: IPv6 support in firewalls

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Mon, 27 Aug 2007 17:50:04 -0400

Patrick M. Hausen wrote:

The security of a cipher should not depend on the secrecy of the algorithm.


Why does everyone always quote this? It applies to cryptography
but - unless I'm completely missing the point - we are talking about
firewalls and network security, not cryptography. It is a decent
general design principle but simply because something sounds
really catchy doesn't make it universally applicable.

Consider the statement:
The strength of an army should depend on its soldiers, not on
keeping your battle-plans secret.

That is, of course, ridiculous.

The security of a network should not depend on the secrecy of
the structure, because sooner or later secrets will be no longer.


The security of a network should not depend on the secrecy of
its structure, but denying the enemy useful information is one
of the fundamental techniques of warfare. And, as far as I can
tell, network security has more similarities to siege-craft than
cryptography. If your enemy does not know the terrain, they
are more likely to give their intent away while performing
reconnaissance, or to make a mistake once they get inside
your perimeter. In fact, I got called in on a case a number of
years ago where a major financial organization was compromised
by a hacker and they detected him because he was trying to
map the network and stumbled into the wrong system in
the process.

Lastly, and far from least, even cryptographers don't practice
what they preach. You won't see the NSA publishing the
algorithms used in a STU any time soon. Nor will you see
the NSA declassifying Type 1 crypto algorithms in your
lifetime. I highly recommend David Kahn's "Seizing the Enigma"
as a fascinating history in its own right. One part that was
even hollywood-worthy was the sailors who raced into
the cipher room of a sinking U-boat to try to salvage the
Enigma machine - so that the codebreakers could better
reverse-engineer its algorithms once they had the actual
code-wheels in their possession.

Of COURSE your security shouldn't depend on the secrecy
of the algorithm. But you're crazy not to deny the enemy
every bit of information you can.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: IPv6 support in firewalls, (continued)
- - - Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
    - Re: IPv6 support in firewalls ArkanoiD (Aug 28)
    - Re: IPv6 support in firewalls Darren . Reed (Aug 28)
    - Re: IPv6 support in firewalls ArkanoiD (Aug 29)
    - Re: IPv6 support in firewalls Paul D. Robertson (Aug 29)
    - Re: IPv6 support in firewalls ArkanoiD (Aug 29)
    - Re: IPv6 support in firewalls ArkanoiD (Aug 27)
    - Re: ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
    - Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
    - ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
    - Re: IPv6 support in firewalls Marcus J. Ranum (Aug 27)
    - Re: ***SPAM*** Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
    - Re: ***SPAM*** Re: IPv6 support in firewalls ArkanoiD (Aug 27)
    - Re: ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
    - Re: ***SPAM*** Re: IPv6 support in firewalls Steven M. Bellovin (Aug 23)
    - Re: ***SPAM*** Re: IPv6 support in firewalls Marcus J. Ranum (Aug 24)
    - Re: IPv6 support in firewalls Paul Melson (Aug 23)
- Re: New to Cisco PIX/ ASA Paul Melson (Aug 21)