Well said Gary,
I have to agree. While security by obscurity should NEVER be your only
defense, making it a part of you overall solution is not a bad idea. The
example I like to use is NAT on a Cisco router. If you use a numberless
connection on the serial port of your router that goes to your ISP and use
NAT translation for all of your interior addresses AND do not include a
static translation for the router's interior ethernet address, the router
has NO visible IP address on the Internet. This doesn't mean that it can't
be subject to certain types of DoS attacks or that it won't pass attack
packets to the interior network but it does make it harder to attack since
packets cannot be send directly to the router.
This is technically NOT a security feature of a Cisco router but it DOES
effectively increase the security profile of the router by obscuring it from
Internet access.
Bill Stackpole, CISSP
Olympic Resource Management, Voice/Data Manager
P.O. Box 1780, Poulsbo, WA 98370
Phone (360) 697-6626 x601 Fax (360) 697-7519
"Simplify. There is no value in complexity, it is too difficult to manage."
> Security through obscurity is much maligned IMHO. Security is
> relative, its not absolute. Most any measure can be overcome
> with the right amount of time, money, and motivation. If you
> make the key length such that all the computers in the world
> can't break it in eons, the attackers go after where the key is
> stored, the PIN, the card, the password protecting it, the person
> carrying it, their desktop, etc. Ergo, security is a finite fence.
>
> If I can make it more difficult for interlopers to climb,
> poke a hole in, or crawl under my fence, I'm improving
> security by decreasing the number of people with the
> time, money, and motivation to do so. If they have to
> study something, reconoiter, guess, etc. due to
> insufficient information, then I've put up an extra
> barrier. Note that I don't advocate depending solely
> on that barrier, but IMHO having an extra barrier can
> only be good. In fact, it goes back to "defense in depth".
>
> Shoot, 99% of all of today's security access controls
> are based on obscurity...the obscurity of something
> called a secret password :)
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
