Naming Conventions of Servers and Security

From: jwichman@junebox.com
Date: 02/05/02


From: jwichman@junebox.com
To: security-basics@securityfocus.com
Date: Tue, 5 Feb 2002 10:41:15 -0600 

I have a question about naming conventions.

What is the security communities recommendation on naming servers? Is it
safe to name a server by the function the server provides? We are currently
looking at renaming our entire domain since there are 4 or 5 different
naming conventions currently being used. So far I have been told that
naming a server AABCCC## (where A = Company Division B = Type of device [ S
= Server, N = Network D = Desktop] C = placement of server [DMZ or PRD or
STG]) is weak security because an attacker would have useful knowledge about
the server. I feel most attackers would perform some recon of the network
and have that information before they went in to attack mode anyway.

I realize that it could be easier for an attacker to gain information about
the server, but what about the folks who have to work on the server? If a
server was to go down or be attacked I would rather know immediately from
the name what I could be dealing with or how critical it is to the company
that the server is down.

Please send me your humble opinions.

Thanks

Jeff Wichman