Re: [fw-wiz] DNS Names for external services



On Tue, 13 Apr 2010, Behm, Jeff wrote:

Just curious, what is your opinions of the security vs. ease of use trade-offs on putting DNS entries in (vs. making people know/use an IP address) for services you expose to the Internet.

I've said this for years, but it bears repeating: Obsucrity reduces the
incidence of attack, not the success rate.


For example,

webmail.companynamehere.com for your webmail service

www.companynamehere.com for your web site

The two above are typically common and don't cause me much concern. What about this next one?

vpn.companynamehere.com for your employees to access your company's VPN server

It's this last one that really begs the question. Should I just as well use the name "attackmehere.companynamehere.com" rather than vpn.companynamehere.com. I searched around on the Internet, but couldn't really find pros and cons...

Just looking for opinions. There are no "right" answers ;-)


What's a bigger burden, your support costs or your security costs? If
your VPN is attackable, because of weak userid-passwords or other flaws,
it'll be attacked sooner or later- if you've done your job, then flaws
won't be exploitable and the name doesn't matter- if you've done a poor
implementation or selection job, then all you're doing by hiding is
postponing the inevitable.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: firewall: black or white...
    ... > interresting systems to play with. ... > If someone is looking for a system to attack, ... almost every security plan incorporates similar flaws. ...
    (comp.os.linux.security)
  • Re: [Lit.] Buffer overruns
    ... > buffer overruns are foreseeable and, ... > inferior to making sure that the flaws do not exist. ... > despite attack attempts. ... What is your 'model' against hackers exploiting buffer ...
    (sci.crypt)
  • Re: Enabling telnet, ftp, pop3 for root...
    ... If you make it so NOBODY can attack it then NOBODY can ... Any system can contain flaws. ... security flaws, the system with less security flaws is more secure. ...
    (alt.os.linux)
  • Re: [Lit.] Buffer overruns
    ... incidental unforeseeable spurious random error. ... inferior to making sure that the flaws do not exist. ... despite attack attempts. ...
    (sci.crypt)
  • Re: [fw-wiz] DNS Names for external services
    ... your support costs or your security costs? ... your VPN is attackable, because of weak userid-passwords or other flaws, ... implementation or selection job, then all you're doing by hiding is ...
    (Firewall-Wizards)