Steffen Wendzel wrote:
> On Sun, 22 Oct 2006 14:42:18 +0200 "Inigo T. A." <[EMAIL PROTECTED]> wrote:
...
> : If you have a security problem with a service, the only "more secure"
> : action is to fix it, don't to open it eventually.
> :
>
> this isn't correct. Every service had some security problems in the
> past. Imagin that your service X is vulnerable (only since a few h
> by a zero day exploit or so) and someone tries to exploit it at 2:00 in
> the morning.
to correct a hypothetical flaw in service X, you are introducing a
service Y...
> but if you run some port knocking service (and your attacker does not
> know the port combination/secrect key or even does not know about a
> running port knocking system, he can not attack your service.
...what if there is a vulnerability in service Y?
Making things more complex rarely actually improves either security or
reliability.
> if you only need the service for administration, you could do such a
> "hiding" of the service. you only would need to open the port by the
> portknocking service a few min while you use it to do some administration.
I like to think of "physical" analogies. I think this one is pretty
accurate for this case:
You have a building (computer), you don't fully trust the lock
(security) on the front door (service).
You could:
Move the front door to the side of the building (change port number)
Paint the front door purple (change the banner shown by the app)
Drape a canvas tarp over the front door (port knocking)
Throw away all your tools in the building so they can't be used
against you (deleting compilers)
Or...
You could fix the dang lock or replace the lock (security system) or
the entire door (service) with one that is more trusted.
Guess which one is the OpenBSD way?
There are some scary things in that analogy...
1) It is horrifying how trivial some things that people think improve
security really are...similar steps done for physical security on
buildings would be typically not even noticed by your average
drug-addicted street criminal on the way to score a little cash for his
next hit.
2) Amazingly, in the world of computers, those trivial changes actually
may deflect some attacks. This shows the incredible low level of skill
these script kiddies really possess (or the number of softer targets).
If you just don't want to see evidence of people trying to twist your
doorknob, and you offer nothing more "interesting" than yet another
platform to attack from, ok, sure, some of this stuff may actually
"help" you withstand the continual attack of mindless "bots", HOWEVER,
if you really have something you are really protecting, this kind of
stuff should not be part of your security plan, as all it does is give
you a false sense of security. None of this stuff withstands a
determined attacker.
Supposedly, when asked why he robbed banks, Willie Sutton said, "that's
where the money is". Why do people crack computers? Historically, it
was because "That's where the fame is". They got in, they showed their
friends and competitors, and that was about it. As Internet-exposed
computers get used for more business-involved tasks, the motivation is
changing to Sutton's, "that's where the money is". Armoring yourself
believing that script kiddies and their pea-shooters, and their
ten-second attention span are your attackers is fighting a war of a few
years ago...in a business environment, you have a new enemy, someone who
doesn't want the fame of 0wn3n1ng your computer (he'd prefer not to be
noticed, in fact!), but rather, wants a copy of (or wishes to alter)
what you are protecting, and wants to profit from that. And he's
packing a lot more than a pea-shooter, and the payoff is worth a bit of
effort on their part.
Nick.
