RE: Concepts: Security and Obscurity
- From: "Craig Wright" <Craig.Wright@xxxxxxxxxx>
- Date: Fri, 13 Apr 2007 05:28:07 +1000
Daniel,
I have to assume that you believe that drop actually hides hosts making scanning firewall rules infeasible? That drop rules act as if there is no host or something? This is a common misconception, but a misconception none the less. We investigated this at the ASX when I was working there. We had a VP from Checkpoint and several of their engineers from Israel over with the testing. We did the same thing with Sun's Firewall of the time - Sunscreen - in its so called stealth mode.
First I have to state an assumption of a single firewall in the cases mentioned as I fail to see why adding SPA to a dual layered authenticated system would be adding anything at all other than trouble with users.
In the case of a single firewall layer (as I must state is the norm in use) drop rules do not hide the existence of hosts. The firewall does not respond as a router. When a router is down the upstream routers respond differently. When scanning the responses are different.
Next the timing of scans varies. In drop rules, services that are allowed but filtered do not respond as those that do not exist nor do they respond as those which are just blocked. Scanning a firewall with a drop or stealth will allow mapping of the rules. You can get something like:
{Service allowed from unknown range} to {host address 1}
{host address 2} does not exist
Port 80 open on {host 3}
{host address 4} does not exist
{host address 5} exists but has no access
{host address 6} exists but needs auth on port 80
{host address 6} exists but has no access
Maybe I am over thinking this in assuming that there must be more people who can actually scan a firewall and map ports than there are in reality - but it is far from difficult unless the sole level of skill is how to run nmap.
My point is not if the security level has been *diminish*ed but that there is a cost. Having clients use this is an added layer of complexity. This is a cost. Cost without an equivalent gain is a loss - which is my point - and thus not effective. If you are adding the same level of cost - there are REAL controls that may be implemented for a lower real cost. Thus in this manner the equal cost demonstrates a diminishment over what could be achieved for the additional spend.
I only did portknocking yesterday as I was going to do SPA this morning to follow - but have done this response instead and will have to follow with SPA later.
Regards,
Craig
Craig Wright
Manager of Information Systems
Direct +61 2 9286 5497
Craig.Wright@xxxxxxxxxx
BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.
The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.
Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator@xxxxxxxxxxx
BDO Kendalls is a national association of separate partnerships and entities.
________________________________
From: Daniel Miessler [mailto:daniel@xxxxxxxxxxxxx]
Sent: Fri 13/04/2007 4:38 AM
To: Craig Wright
Cc: krymson@xxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Concepts: Security and Obscurity
On Apr 12, 2007, at 2:34 AM, Craig Wright wrote:
Port knocking has the issue that it is not completely silent as is
presumed. Most routers are not set to stop sending ICMP, TCP etc
responses to other routers. In fact to do so is a violation of the
internet standards. As such, information on ports is often available
from the network infrastructure. Drop on firewalls does not stop an
attacker finding what ports are running - it just means that they have
to be a little more creative.
More creative? Ok, let's try it this way:
1. You send me a SYN to a given port
2. I send you an RST/ACK for that port (or I don't answer at all)
Either way, what now? So what if you can ping the firewall? We're
talking about ACLs here. An ACL saying traffic gets dropped or
rejected to port X. So unless you have some revolutionary way to
simply bypass firewall ACLs, you're basking in the darkness of
futility here, my friend.
Systems that ONLY drop packets stand out. They are not "stealthy" but
rather the hole they make makes them extrememly visible.
Huh ?!?
Kind of like the hole caused by systems that aren't online? LOL. So I
guess all those systems that don't exist are being put on a master
hacker list somewhere to be investigated later? Dude, you're
frightening me.
In port knocking the control is not highly effective, to take a quote:
In 'Critique of Port Knocking', Arvind Narayana states:
"Suppose you decide on a list of 32 valid ports (the current
implementation
allows up to 256). How long does the port knock sequence
need to be? You might think that since each port is a 16-bit integer,
you need 8 knocks, so that you get 8*16 bits or 128 bits of security
(virtually unbreakable). But since each port has only 32 possible
values (5 bits), what you actually get is only 8*5=40 bits of security
(trivially breakable)!"
Portknocking isn't the point; I mentioned SPA as another alternative,
as the technology doesn't mater much. The point is that adding
obscurity ON TOP of solid security doesn't *diminish* said security.
That's all. Simple point. Nothing fancy. Basic stuff.
(or at least I thought so)
Applied Cryptography by Bruce Schneier:
"If I take a letter, lock it in a safe, hide the safe somewhere in New
York, then tell you to read the letter, that's not security. Thats
obscurity. On the other hand, if I take a letter and lock it in a
safe, and then give you the safe along with the design specifications
of the safe and a hundred identical safes with their combinations
so that you and the worlds best safecrackers can study the locking
mechanism - and you still can't open the safe and read the letter -
thats security."
Interesting, well what if you let people crack on our "safe" all day
long (e.g. your SSH or VPN software) through OTHER PEOPLE'S SYSTEMS,
but you tuck YOURS behind a firewall that only your users can get
through?
So in other words, you get the benefit of scrutiny by using well-
tested systems, but you don't have the downside of wide-open
exposure. Surely with all your education and credentials you can see
that this is a positive thing.
If I'm wrong here please show me how...
--
Daniel Miessler
E: daniel@xxxxxxxxxxxxx
W: http://dmiessler.com
G: 0xDA6D50EAC
- References:
- RE: Concepts: Security and Obscurity
- From: Craig Wright
- Re: Concepts: Security and Obscurity
- From: Daniel Miessler
- RE: Concepts: Security and Obscurity
- Prev by Date: Re: Re: Re: Re: Concepts: Security and Obscurity
- Next by Date: Re: Re: Arcsight
- Previous by thread: Re: Concepts: Security and Obscurity
- Next by thread: Re: Concepts: Security and Obscurity
- Index(es):
Relevant Pages
|
