On Wed, Dec 11, 2002 at 03:07:20PM +0100, Saad Kadhi wrote: > On Wed, Dec 11, 2002 at 08:08:55AM -0500, Michael Lucas wrote: > > On Wed, Dec 11, 2002 at 02:02:28PM +0100, Henning Brauer wrote: > > > oh wow, a real advantage. > > > if someone wants to know I'm running OpenBSD he just needs to read our > > > website. > > > > Yes, but some of us don't want to say. Specifically, if nmap says our > > firewall is OpenBSD, the next question from IT management will be "Why > > aren't you running Checkpoint?" I'll then have to go through the > > arguments of "it's my budget, dammit, and I'll spend it where I want > > it." Concealing the OS would save me time and energy.
> if somebody wants to know what version/os stuff you are running, and she > puts enough time & energy in this task, she'll end up knowing. Absolutely. > that > said, if management is clueless about the fact that you are currently > running an open source firewall, how would they know how to use nmap? I work for a contracting firm, and am continually being second-guessed by people who think they have a clue and don't actually do the work. My goal is to a) provide security, and b) eliminate as much second-guessing as possible. > Last time I checked QualysGuard(tm), a 'block in quick on $external_if > proto tcp from any to any flags FUP' stopped them from fingerprinting > the OS. That said, they also reported that PF (as of 3.0) was vulnerable > to packet fragmentation (indeed I had scrub activated. see > http://marc.theaimsgroup.com/?l=openbsd-misc&m=101541311510238&w=2). Thanks. -- Michael Lucas [EMAIL PROTECTED], [EMAIL PROTECTED] http://www.oreillynet.com/pub/q/Big_Scary_Daemons Absolute BSD: http://www.AbsoluteBSD.com/
