Defining security measures (Was: an anternative to port-knoking using the OpenBSD pf only)

Hi poplix,

A few comments:

Easily perhaps from many internal networks. But it's much more difficult for an attacker to sniff it without access to either the client's network and the server's network.

I think a security layer must fits the anybody needs and cannot fail only because the connecting host is not on a safe location.

All security is based on the environment. All. And business security must be applied according to its environment. The concept of security is to provide protection in order to create the safer haven. Everything we do is relative to that haven, real or artificial. Saying it's not relative to the environment is like, well, like this:

But it is a security layer because it makes a system harder to hack. How is that not a security layer?

It's not easy to define the meaning of security layer. It's not wrong to define a security layer as "anything that increase security" but it's not exactly correct. It's possible to distinguish between a security layer and a security measure: a security layer is a part of a system designed to increase the security; a security measure is any measure we adopt to make our system safer.
Adding a firewall rule that allow access to a trusted ip only is a security measure, the firewall itself is a security layer. I think port-knocking is not a security layer because it plays with an existing security layer, i.e. the firewall.
If you bind sshd on a different port every hour, probably you system is safer, but how can you consider this a security layer? Maybe you can call it a security measure....

This really doesn't make it any clearer to me as a definition. So I'm okay with discussing this. But I don't think it will change the clarity of your argument. A security layer is protection in whole. That layer can be perfect or flawed or even of the wrong fit for security needs.
A layer is something that applies as one to a thing as a whole such as a whole network, a whole system, etc. without changes for sub-groups under that whole. Just by definition:

*2 a* *:* one thickness, course, or fold laid or lying over or under another (

Therefore a security layer doesn't say anything about the type or appropriateness of the protection in place. Just that it's there.

You say blocking one port is a sec measure and a firewall is a layer. I disagree. A firewall is a type of protection solution we associate with managing security at the network level. There are many types of firewalls but are there many types of blocked ports? No, there are many ways within the process of blocking a port from protocol to RFC compliance but it still remains either that port is blocked or not.

If I bind sshd on a different port every hour, that is a type of protection. The protection provided there is a Loss Control called Privacy where the method of message delivery is known only between intended parties. It's used in many technologies, most notably the principle of the RSA tokens changing every minute in sync with the login server. How is that not a security layer?

A security measure?

*1 a *(1) *:* an adequate or due portion

Again, by definition, a security measure would have to refer to the proper type of protection for a thing. Therefore an iron bar cannot be a security measure for an IP network but it can be one for holding a door shut.

Therefore, I conclude port-knocking is a type of protection, under these terms, even a security layer for that server. Is it a security measure? The answer now depends on whether or not port-knocking provides adequate protection for intended operations and environment.


This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) and Response solution, leverages Cisco NetFlow to provide scalable, internal network security. Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response Systems in the Enterprise."

Relevant Pages

  • RE: How to find a changing IP on ethernet network
    ... Port Security is a good Cisco feature for a small LAN but when working ... with large networks with roaming users, I would use Port Authentication ... Identity Based Network Security and uses 802.1x at the client ... firewall with virus/spam protection, URL filtering, ...
  • Re: Firewall vs. IPS
    ... protection_ caused by poor access control, ... FREE Network Security Webinar - How to implement IPSec security into VPN appliances ... Join the security experts from SafeNet on August 26 at 1:00 PM, and learn how to successfully integrate IPSec security into VPN processors and appliances to provide powerful yet cost-effective VPN solutions for your customers. ...
  • RE: Retina
    ... Retina is one of if not the best, but it is also one of the ... Network Administrator ... Information Security Manager ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
  • Re: Is IDS/IPS worthless?
    ... What experience I have with network auditing has forced home the idea ... no elephants -- it's easy to say that IDS is worthless when you aren't ... > operations and security is a critical component of IT. ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
  • RE: Is IDS/IPS worthless?
    ... often seen as a pure overhead, adding nothing to the bottom line. ... scenario where the corporate network is infected/attacked with something ... >> operations and security is a critical component of IT. ... Astaro Security Linux -- firewall with Spam/Virus Protection ...