Defining security measures (Was: an anternative to port-knoking using the OpenBSD pf only)

[Pete Herzog <lists () isecom org>]

Hi poplix,

A few comments:

> > Easily perhaps from many internal networks.  But it's much more 
> > difficult for an attacker to sniff it without access to either the 
> > client's network and the server's network.
>
> I think a security layer must fits the anybody needs and cannot fail 
> only because the connecting host is not on a safe location.

All security is based on the environment.  All.  And business security 
must be applied according to its environment.  The concept of security 
is to provide protection in order to create the safer haven.  Everything 
we do is relative to that haven, real or artificial.  Saying it's not 
relative to the environment is like, well, like this: 
http://www.theonion.com/content/node/45360

> > But it is a security layer because it makes a system harder to hack.  
> > How is that not a security layer?
>
> It's not easy to define the meaning of security layer. It's not wrong 
> to define a security layer as "anything that increase security" but 
> it's not exactly correct. It's possible to distinguish between a 
> security layer and a security measure: a security layer is a part of a 
> system designed to increase the security; a security measure is any 
> measure we adopt to make our system safer.
> Adding a firewall rule that allow access to a trusted ip only is a 
> security measure, the firewall itself is a security layer. I think 
> port-knocking is not a security layer because it plays with an 
> existing security layer, i.e. the firewall.
> If you bind sshd on a different port every hour, probably you system 
> is safer, but how can you consider this a security layer? Maybe you 
> can call it a security measure....
This really doesn't make it any clearer to me as a definition.  So I'm 
okay with discussing this. But I don't think it will change the clarity 
of your argument.  A security layer is protection in whole.  That layer 
can be perfect or flawed or even of the wrong fit for security needs.
A layer is something that applies as one to a thing as a whole such as a 
whole network, a whole system, etc. without changes for sub-groups under 
that whole.  Just by definition:

*2 a* *:* one thickness, course, or fold laid or lying over or under 
another  (http://www.m-w.com/)

Therefore a security layer doesn't say anything about the type or 
appropriateness of the protection in place.  Just that it's there.

You say blocking one port is a sec measure and a firewall is a layer.  I 
disagree.  A firewall is a type of protection solution we associate with 
managing security at the network level.  There are many types of 
firewalls but are there many types of blocked ports?  No, there are many 
ways within the process of blocking a port from protocol to RFC 
compliance but it still remains either that port is blocked or not.

If I bind sshd on a different port every hour, that is a type of 
protection.  The protection provided there is a Loss Control called 
Privacy where the method of message delivery is known only between 
intended parties.  It's used in many technologies, most notably the 
principle of the RSA tokens changing every minute in sync with the login 
server.  How is that not a security layer? 

A security measure?

*1 a *(1) *:* an adequate or due portion

Again, by definition, a security measure would have to refer to the 
proper type of protection for a thing.  Therefore an iron bar cannot be 
a security measure for an IP network but it can be one for holding a 
door shut.

Therefore, I conclude port-knocking is a type of protection, under these 
terms, even a security layer for that server.  Is it a security 
measure?  The answer now depends on whether or not port-knocking 
provides adequate protection for intended operations and environment.

Sincerely,
-pete.

------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed 
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) 
and Response solution, leverages Cisco NetFlow to provide scalable, 
internal network security. 
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response 
Systems in the Enterprise."

http://www.lancope.com/resource/
------------------------------------------------------------------------------