On 3/25/2014 10:38, Les Mikesell wrote:
> On Fri, Mar 21, 2014 at 4:18 PM, <m.roth@xxxxxxxxx> wrote:
>>>
>>> #5 (non-standard port) is very useful.
>>
>> Huh! That's the *only* rationale I've ever heard for security through
>> obscurity that actually makes sense.
>
> It's all obscurity even if you think you can call it something else.
The original term of art has gotten stretched out of its original shape.
"Security through obscurity" originally referred only to practices
intended to confer security purely through obscurity. As soon as you
learn the secret, the security is gone.
Security practitioners started beating "security through obscurity is
bad" into people's heads, until now people have this knee-jerk reaction
to *any* obscurity, as though obscurity is bad in and of itself.
Moving Telnet to port 2323 is security through obscurity. Moving SSH to
port 2222 is defense in depth, because you still have security after an
attacker penetrates the obscuration layer.
For another example, think about network switches. They prevent trivial
snooping on your neighbor's traffic. ARP poisoning can defeat this
security-through-obscurity, but that's no reason for us to all go back
to dumb hubs. To the extent that it confers security at all, switched
Ethernet is one layer in a good layered defense incorporating switches
*and* subnets *and* VLANs *and* encrypted tunnels.
Still another example: ALSR. ASLR doesn't prevent buffer overflow
attacks, it just makes them a lot harder to craft.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
