Re: [fw-wiz] DNS Names for external services



Paul D. Robertson wrote:
On Tue, 13 Apr 2010, Behm, Jeff wrote:

vpn.companynamehere.com for your employees to access your company's
VPN server

It's this last one that really begs the question. Should I just as
well use the name "attackmehere.companynamehere.com" rather than
vpn.companynamehere.com. I searched around on the Internet, but
couldn't really find pros and cons...

What's a bigger burden, your support costs or your security costs?
If your VPN is attackable, because of weak userid-passwords or other
flaws, it'll be attacked sooner or later- if you've done your job,
then flaws won't be exploitable and the name doesn't matter- if
you've done a poor implementation or selection job, then all you're
doing by hiding is postponing the inevitable.

The cost trade-off I'd look at is the cost of user support at an "obscure" name (probably very low if you configure things for them) vs. the cost of incident monitoring. You'll probably have fewer ankle biters hitting the obscure name. Depending on how much effort you spend investigating failed intrusion attempts, that may or may not be enough of a cost savings to make an obscure name worthwhile.

I agree that there is near zero security difference.

--
Carson

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards