Great Circle Associates Firewalls
(October 1992)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Reverse and double-reverse IP address lookups as service prerequisites
From: Brent Chapman <brent @ GreatCircle . COM>
Date: Mon, 05 Oct 92 14:15:40 -0700
To: Firewalls @ GreatCircle . COM
Reply-to: Brent @ GreatCircle . COM

Aydin Edguer <edguer @
 alpha .
 CES .
 CWRU .
 Edu> writes:

# > I agree that it's security through obscurity, and should not be
# > counted on to protect anything, BUT every little bit helps.  Why give
# > folks ammunition, in the way of host names that can be used for
# > "social engineering" or password attempts or anything else?  Sure,
# > not making the host names trivially available doesn't solve much, but
# > it's one more piece of the puzzle.
# 
# But the point is that if "I" am trying to break into "your" hosts, then
# "I" don't really care about the hostname, all "I" need is the IP address.
# Unless you are going to hide your IP addresses, then hiding the hostnames
# seems rather pointless (except for mail).  If you do hide IP addresses then
# I fully agree that hiding your hostnames is important and useful.

Some people (including some but not most of my clients) consider host
names to be useful information in and of themselves, regardless of
what IP address the host maps to.  The host names might give outsiders
a clue about projects inside the company, they give outsiders more
ammunition for their password cracking programs, and they let
outsiders appear to be knowledgable about the site if they try to
engage in social engineering to get past human security measures
(i.e., if somebody who looks like a repair tech shows up at your
receptionist's desk and says "I'm here to work on <some internal
machine name> and it's an emergency; they're waiting for me in the
machine room", what's your receptionist going to do?

# The point of doing a "double reverse" name lookup is security/authentication.
# It helps to prevent spoofing of the nameserver by people forging PTR records
# in their nameservers.  Thus I think that a "double reverse" name lookup is
# under normal usage [with or without firewall] going to help cut down on
# "forgeries" more than hiding only the names is going to help.

I don't think knowing the name that goes with an IP address really
tells you any more than the IP address itself, which you've got regardless.


-Brent
--
Brent Chapman                                   Great Circle Associates
Brent @
 GreatCircle .
 COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041


Indexed By Date Previous: Re: Filters and interfaces.
From: Brent Chapman <brent @ GreatCircle . COM>
Next: Re: Reverse and double-reverse IP address lookups as service prerequisites
From: Aydin Edguer <edguer @ alpha . CES . CWRU . Edu>
Indexed By Thread Previous: Re: Reverse and double-reverse IP address lookups as service prerequisites
From: Aydin Edguer <edguer @ alpha . CES . CWRU . Edu>
Next: Re: Reverse and double-reverse IP address lookups as service prerequisites
From: Aydin Edguer <edguer @ alpha . CES . CWRU . Edu>

Google
 
Search Internet Search www.greatcircle.com