Hello,
You are having difficulties, as it does not really matter (details in a
minute). It is an argument based on belief. It is effectively an argument of
dogma, a religious ideology and has little if nothing to do with fact.
No person commenting has completed a quantitative risk study of the various
issues. No tests have been done either way by the people commenting â it is
pure opinion. I have done such a study in the past. I did not publish as it as
there was nothing of significance to be said in the paper, nor could there be
(later in the posting I will explain, and it was not the key focus of the
paper).
First though, the issue comes down to the FACT that in nearly all firewall
configurations, the firewall consists primarily of a gateway. The firewall is
being spoken of as a solitary host and not a series of devices designed to
filter traffic (as is the definition).
This matters as the attacker will know that there is a gateway. For all the
stealth rules you care to apply, a gateway is going to be visible. How is
simple. There are two networks and by definition, these will not be connected
without a router or proxy device. If the device is open, it is more likely to
be a standard router. Where there is a hole in the network there is a secured
router or the firewall gateway (which the router may be a part of).
So with or without traceroute you can map the path to the server that you wish
to get to. There will either be a complete mapping of all the gateways or there
will be a hole. If there is a hole than you can send traffic to the gateways on
either side and monitor the return of ICMP traffic for host/gateway/network
unavailable. The other routers and gateways will betray you and there is the
Firewall/gateway that you tried to hide.
So the question comes down to why are you hiding the gateway? Hiding it will
reduce the less experienced attacker, It will also increase the length of time
spent investigating the gateway.
As for the significance, I will say this with data. All tests had been
completed with alpha = 5% significance (i.e. 95% Confidence Intervals). The
network was a standard honeypot setup to look like a private banking company.
First to the time spent attacking the firewall and the interest in the
âholeâ where the gateway should have been. The Hypothesis was that there is
no difference from either configuration. The alternative hypothesis being that
there is a difference and one configuration was better than the other.
Given the t- ratio, we calculated the probability, p=0.1507 which was greater
than the selected test value. Thus there is no significant difference at the
alpha =5% level to state that an attacker will spend longer on average on
attacking the firewall in either instance. There is some evidence â but it is
weak.
Next to the issue of overall protection. Again the Hypothesis was that there is
no difference from either configuration. The alternative hypothesis being that
there is a difference and one configuration was better than the other.
An ANOVA test on the data was run (F=0.0007, df=2, p=0.9993). Not excluding the
simple attackers and attackers using obvious scripts and taking the entire
sample from the attacks, there was no evidence to demonstrate that either
method was better than the other.
Now to simplify as I know most of the people on the list are not academics,
mathematicians etc. What this means is that there is no difference. Put a name
on the server, or donât. Hide the server or donât. It does not matter.
There is no significant evidence to suggest that any of these wifeâs tales
does anything.
What does matter is the configuration and maintenance of the firewall. NOTHING
else matters â it is all just personal opinion and does not survive detailed
testing. The attacker is only going to spend time on the firewall if they
believe that they can subvert it. There is some weak evidence that more
advanced attackers will spend more time if they cannot see the firewall (i.e.
stealthâd).
There is no evidence that overall hiding the firewall makes a single iota of
difference. This takes us to the old âsecurity by obscurity is no security at
allâ maxim.
Regards,
Craig
-----Original Message-----
From: terry white [mailto:twhite@aniota.com]
Sent: Sat 10/06/2006 2:33 PM
To: firewalls@securityfocus.com
Cc:
Subject: RE: Should FW have DNS name?
... ciao:
on "6-9-2006" "Brandon Harris" writ:
: no sense in helping a hacker
i am confounded by this thread. it seems to me, that a firewall's
location implicit in any given topology. so, i'm hard pressed to see
what, if any difference it really makes.
as was noted, using 'hosts' for local administration, to my mind, an
elegant solution ...
Liability limited by a scheme approved under Professional Standards Legislation
in respect of matters arising within those States and Territories of Australia
where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If
you are not the intended recipient, you must not use or disclose the
information. If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may
not rely on this message as advice unless it has been electronically signed by
a Partner of BDO or it is subsequently confirmed by letter or fax signed by a
Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments
due to viruses, interference, interception, corruption or unauthorised access.
