From owner-freebsd-security Sat Apr 7 16:12:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from cpimssmtpoa04.msn.com (cpimssmtpoa04.msn.com [207.46.181.114]) by hub.freebsd.org (Postfix) with ESMTP id 775F837B424 for ; Sat, 7 Apr 2001 16:12:44 -0700 (PDT) (envelope-from JHowie@msn.com) Received: from cpimssmtpu13.email.msn.com ([207.46.181.88]) by cpimssmtpoa04.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sat, 7 Apr 2001 16:12:43 -0700 Received: from x86w2kw1 ([216.103.48.12]) by cpimssmtpu13.email.msn.com with Microsoft SMTPSVC(5.0.2195.3225); Sat, 7 Apr 2001 16:12:42 -0700 Message-ID: <05b901c0bfb8$d79a1160$0101a8c0@development.local> From: "John Howie" To: "Jacques A. Vidrine" Cc: "Crist Clark" , , References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com> <20010407162552.D87286@hamlet.nectar.com> <058701c0bfad$265e8530$0101a8c0@development.local> <20010407173910.B69155@spawn.nectar.com> <05aa01c0bfb4$ec3a0de0$0101a8c0@development.local> <20010407180040.B87468@hamlet.nectar.com> Subject: Re: Theory Question Date: Sat, 7 Apr 2001 16:16:55 -0700 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-OriginalArrivalTime: 07 Apr 2001 23:12:43.0001 (UTC) FILETIME=[3FB3CE90:01C0BFB8] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jacques, You are missing my points (or perhaps I typed too fast to make them clearly). Crist supplied the ifconfig scenario, I just followed up on it, and I thought we were still talking about script kiddies. That said, security can still be strengthened through obscurity but as you quite correctly point out it cannot solely be relied upon. If I force would-be intruders to have to defeat/circumvent individual measures such as firewalls/NAT boxes just to determine my topologies before they can even make an attempt at an attack on servers, then most will give up and go away. With the correct supporting measures in place, obscuring network topology is a valid step to take. john... ----- Original Message ----- From: "Jacques A. Vidrine" To: "John Howie" Cc: "Crist Clark" ; ; Sent: Saturday, April 07, 2001 4:00 PM Subject: Re: Theory Question > On Sat, Apr 07, 2001 at 03:48:53PM -0700, John Howie wrote: > > Agreed! And the hacker would also need to have intimate knowledge of your > > network configuration to be able to supply the correct parameters to > > ifconfig in the scenario that Crist outlined. > > Well, no. Arbitrary code is just that: arbitrary. Arbitrary code can > determine a working configuration for any network interface. And in > many cases it will not even be necessary to `ifconfig' the interface > to use it. > > > One item that was missing from > > the original design was an exterior DMZ firewall (or perhaps I just missed > > that component) running NAT. Key to securing the infrastructure is making it > > as difficult as possible for a hacker to determine DMZ and production > > network topologies and machine addresses. > > If the `key' to your security is obscurity of your internal network > configuration, expect to be comprimised. This information is not hard > to obtain by a determined attacker, and technology is probably not > even an issue. > > Cheers, > -- > Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message