Re: [fw-wiz] DNS Names for external services

Paul D. Robertson wrote:
On Tue, 13 Apr 2010, Behm, Jeff wrote: for your employees to access your company's
VPN server

It's this last one that really begs the question. Should I just as
well use the name "" rather than I searched around on the Internet, but
couldn't really find pros and cons...

What's a bigger burden, your support costs or your security costs?
If your VPN is attackable, because of weak userid-passwords or other
flaws, it'll be attacked sooner or later- if you've done your job,
then flaws won't be exploitable and the name doesn't matter- if
you've done a poor implementation or selection job, then all you're
doing by hiding is postponing the inevitable.

The cost trade-off I'd look at is the cost of user support at an "obscure" name (probably very low if you configure things for them) vs. the cost of incident monitoring. You'll probably have fewer ankle biters hitting the obscure name. Depending on how much effort you spend investigating failed intrusion attempts, that may or may not be enough of a cost savings to make an obscure name worthwhile.

I agree that there is near zero security difference.


firewall-wizards mailing list