COM (Marcus J. "Buddy can you spare a clue?" Ranum) writes:
# Usually, I like to take the approach that hiding host names is
# "security through obscurity" and as such should not be respected as
# improving your situation noticeably.
I agree that it's security through obscurity, and should not be
counted on to protect anything, BUT every little bit helps. Why give
folks ammunition, in the way of host names that can be used for
"social engineering" or password attempts or anything else? Sure,
not making the host names trivially available doesn't solve much, but
it's one more piece of the puzzle.
Now, all that said, only a couple of the firewalls I've worked on
bother to do that. Most of my clients feel the way Marcus does about
hiding host names: why bother? My point is, it's possible IF you
think it's valuable, and some folks think it's valuable.
# There are just too many ways to get host information - I'd
# rather try to secure my network than hide it.
I was definitely NOT suggesting hiding it rather than securing it. I
was suggesting hiding it AFTER you've done your best to secure it;
that gives you one more layer (perhaps trivial) that someone has to
work their way through to get to you.
I don't believe in absolute security; I don't believe that it's
possible. I believe that it's a worthy _GOAL_, but I don't have any
illusions that I'm going to actually ACHIEVE the goal. Therefore, I
do every little thing I can to tighten up security on the firewall
systems I build. Some are big things, like setting up packet
filtering in the routers. Some are little things, like hiding
internal host names. They all matter, to a greater or lesser degree.
Hiding host names is way down on my list of what steps are important
to take in securing a network, but it IS on the list. Some of my
clients, for whatever reason, never get that far down the list, but
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041