Firewall Wizards mailing list archives
Re: IPv6 support in firewalls
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Mon, 27 Aug 2007 17:50:04 -0400
Patrick M. Hausen wrote:
The security of a cipher should not depend on the secrecy of the algorithm.
Why does everyone always quote this? It applies to cryptography but - unless I'm completely missing the point - we are talking about firewalls and network security, not cryptography. It is a decent general design principle but simply because something sounds really catchy doesn't make it universally applicable. Consider the statement: The strength of an army should depend on its soldiers, not on keeping your battle-plans secret. That is, of course, ridiculous.
The security of a network should not depend on the secrecy of the structure, because sooner or later secrets will be no longer.
The security of a network should not depend on the secrecy of its structure, but denying the enemy useful information is one of the fundamental techniques of warfare. And, as far as I can tell, network security has more similarities to siege-craft than cryptography. If your enemy does not know the terrain, they are more likely to give their intent away while performing reconnaissance, or to make a mistake once they get inside your perimeter. In fact, I got called in on a case a number of years ago where a major financial organization was compromised by a hacker and they detected him because he was trying to map the network and stumbled into the wrong system in the process. Lastly, and far from least, even cryptographers don't practice what they preach. You won't see the NSA publishing the algorithms used in a STU any time soon. Nor will you see the NSA declassifying Type 1 crypto algorithms in your lifetime. I highly recommend David Kahn's "Seizing the Enigma" as a fascinating history in its own right. One part that was even hollywood-worthy was the sailors who raced into the cipher room of a sinking U-boat to try to salvage the Enigma machine - so that the codebreakers could better reverse-engineer its algorithms once they had the actual code-wheels in their possession. Of COURSE your security shouldn't depend on the secrecy of the algorithm. But you're crazy not to deny the enemy every bit of information you can. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: IPv6 support in firewalls, (continued)
- Re: IPv6 support in firewalls Behm, Jeffrey L. (Aug 27)
- Re: IPv6 support in firewalls ArkanoiD (Aug 28)
- Re: IPv6 support in firewalls Darren . Reed (Aug 28)
- Re: IPv6 support in firewalls ArkanoiD (Aug 29)
- Re: IPv6 support in firewalls Paul D. Robertson (Aug 29)
- Re: IPv6 support in firewalls ArkanoiD (Aug 29)
- Re: IPv6 support in firewalls ArkanoiD (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
- Re: IPv6 support in firewalls Patrick M. Hausen (Aug 27)
- ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
- Re: IPv6 support in firewalls Marcus J. Ranum (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Paul D. Robertson (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls ArkanoiD (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Dave Piscitello (Aug 27)
- Re: ***SPAM*** Re: IPv6 support in firewalls Steven M. Bellovin (Aug 23)
- Re: ***SPAM*** Re: IPv6 support in firewalls Marcus J. Ranum (Aug 24)
- Re: IPv6 support in firewalls Paul Melson (Aug 23)