site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Broadband Tech > Security > Security > The Great Debate: Security by Obscurity

Search Topic:
 Share Topic
Posting?
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
AuthorAll Replies


Daniel
Premium,MVM
join:2000-06-26
San Francisco, CA
1 edit

reply to Cudni

The Answer is Actually Pretty Simple...

My thoughts are captured in one of the posts you linked to, but I'll give a short summary here.

Obscurity is only bad for security if it's used as the only, or the primary, layer. In other words, if you secure something first, using your normal measures, and then you add obscurity as a layer on top of it, you can gain additional security.

Anyone who doubts this should take note of the fact that the Army applies camouflage to its M-1 tanks despite the fact that they are fitted with the world's best reactive armor. In short, a secure target that's not being hit is better than a secure target that is being hit.

This applies to the information security world just as it does on the battle field. A good example of this that's often discussed is whether or not it raises your security level to put your SSH daemon on another port. People who are against "obscurity" claim that it can't possibly help since "obscurity" is always bad.

I did some testing on this a while back and over a weekend I logged over 18,000 hits to port 22 on my server, and logged five (5) hits to port 24 during that same time period. Five.

Keep in mind that none of those were legitimate connections. They were all scanners, probably with a few miscofigurations thrown in, but mostly malware. Now imagine a zero-day exploit to SSH. Think of who's more likely to be hit by such an attack. Someone running on port 22 or someone running on port 24?

However you want to cut things, that's security. It's exactly the same as not being by an anti-tank weapon on the battlefield because you were a less obvious target due to camouflage. It doesn't mean you remove your armor (that would be security BY obscurity), but it does mean you should recognize the advantages of not being so easily targeted.

Remember, the key is that without the camouflage both tanks (SSH daemons) have equal security. So the one that benefits from obscurity has a distinct advantage.

Obscurity as the foundation of Security = Bad
Obscurity in addition to Security = Good
--
dmiessler.com -- grep understanding knowledge
to forum · permalink · 2008-07-02 23:14:42 ·
Forums > Broadband Tech > Security > Security

Wednesday, 30-May 09:21:32 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics