Great Circle Associates Firewalls
(October 1992)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Reverse and double-reverse IP address lookups as service prerequisites
From: Brent Chapman <brent @ GreatCircle . COM>
Date: Mon, 05 Oct 92 11:17:06 -0700
To: firewalls @ GreatCircle . COM
In-reply-to: Your message of Mon, 5 Oct 92 09:59:54 -0400
Reply-to: Brent @ GreatCircle . COM

mjr @
 decuac .
 DEC .
 COM (Marcus J. "Buddy can you spare a clue?" Ranum) writes:

# 	Usually, I like to take the approach that hiding host names is
# "security through obscurity" and as such should not be respected as
# improving your situation noticeably.

I agree that it's security through obscurity, and should not be
counted on to protect anything, BUT every little bit helps.  Why give
folks ammunition, in the way of host names that can be used for
"social engineering" or password attempts or anything else?  Sure,
not making the host names trivially available doesn't solve much, but
it's one more piece of the puzzle.

Now, all that said, only a couple of the firewalls I've worked on
bother to do that.  Most of my clients feel the way Marcus does about
hiding host names: why bother?  My point is, it's possible IF you
think it's valuable, and some folks think it's valuable.

# 	There are just too many ways to get host information - I'd
# rather try to secure my network than hide it.

I was definitely NOT suggesting hiding it rather than securing it.  I
was suggesting hiding it AFTER you've done your best to secure it;
that gives you one more layer (perhaps trivial) that someone has to
work their way through to get to you.

I don't believe in absolute security; I don't believe that it's
possible.  I believe that it's a worthy _GOAL_, but I don't have any
illusions that I'm going to actually ACHIEVE the goal.  Therefore, I
do every little thing I can to tighten up security on the firewall
systems I build.  Some are big things, like setting up packet
filtering in the routers.  Some are little things, like hiding
internal host names.  They all matter, to a greater or lesser degree.
Hiding host names is way down on my list of what steps are important
to take in securing a network, but it IS on the list.  Some of my
clients, for whatever reason, never get that far down the list, but
some do.


-Brent
--
Brent Chapman                                   Great Circle Associates
Brent @
 GreatCircle .
 COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041



Follow-Ups:
Indexed By Date Previous: Commercial Product Request
From: rogerskm @ esvax . dnet . dupont . com
Next: : Re: Filters and interfaces.
From: stanonik @ nprdc . navy . mil (Ron Stanonik)
Indexed By Thread Previous: Re: Reverse and double-reverse IP address lookups as service prerequisites
From: mjr @ decuac . DEC . COM (Marcus J. "Buddy can you spare a clue?" Ranum)
Next: Re: Reverse and double-reverse IP address lookups as service prerequisites
From: Aydin Edguer <edguer @ alpha . CES . CWRU . Edu>

Google
 
Search Internet Search www.greatcircle.com