From owner-freebsd-hackers Tue Apr 23 16:57:26 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id C01A537B419; Tue, 23 Apr 2002 16:57:19 -0700 (PDT) Received: from pool0099.cvx40-bradley.dialup.earthlink.net ([216.244.42.99] helo=mindspring.com) by hawk.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 170A9p-0001Ee-00; Tue, 23 Apr 2002 16:57:13 -0700 Message-ID: <3CC5F4BB.FF231884@mindspring.com> Date: Tue, 23 Apr 2002 16:56:43 -0700 From: Terry Lambert X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Robert Watson Cc: Greg 'groggy' Lehey , Jordan Hubbard , Oscar Bonilla , Anthony Schneider , Mike Meyer , hackers@FreeBSD.org Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Robert Watson wrote: > > "Securing telnet is hard; let's turn it off and go shopping". 8-). > > Or maybe, > > Few people use telnet any more, so we'll spend some time fixing it, but > we'll also disable it by default, since many of the reports of > compromise come from people who weren't even using it, but left it > turned on since it was the default. "Few people will use telnet, particularly after we turn it off and go shopping. We can avoid vulnerability reports by reducing the number of systems running the code." 8-) 8-) 8-). > Conservative defaults help you with risk you believe is present, > but where you can't necessarily make the material improvement that you'd > like to. "Obscuring the location of the password file by putting it in a hidden directory statistically reduces the risk that the password file will be compromised." > The reality is that reducing exposure is an important part of any security > posture. This is an argument for security through obscurity. If we are talking risk reduction, then we can easily achieve it statistically through obscurity. In fact, this is exactly what FreeBSD does through its choice of TCP sequence numbers. > > FWIW: I wouldn't object to a firewall rule that disallowed remote TCP > > connections to the X server by default, if the firewall is enabled. I > > think we already have this... > > The firewall code serves a useful function, but one of its great > detriments is a lack of application awareness. The current placement of > the policy seems most reasonable to me, but might be supplemented by such > a rule if desired. Application state is not necessary for incoming connections which are self-identified by source and destination IP and port; the existing stateless firewall code can handle them completely, without introducing problems. Actually, it would be more useful to concentrate on so-called "stealth firewall" technology, so that OS identification due to port scans, etc., is impossible, and so it looks as if there is no machine there whatsoever, if there are no services actively listening AND access is permitted to the source machine. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message