Nice write-up. It makes sense, analogous to the medieval way of
protecting precious treasures inside castles. The problem that I
encounter often-times with clients is that they would like to conduct
business on standard ports (sometimes not knowing how to configure an
application to do otherwise). I fall in your 75%, so you can also
call me a 75-percenter; Good luck with your doors!!!
On Wed, 19 Jan 2005 16:25:33 -0500, Roger A. Grimes
<roger@banneretcs.com> wrote:
Offline, the mail to me has been 75% in support (including many
enterprise security officers telling me they have been using the idea
for years), 25% think I'm an idiot. I'm not sure which way I'm leaning.
A lot of the emails have been telling me that my approach of using
non-default ports alone is crazy. I never said it was the only approach.
I said it was an approach that did increase security. I hoped through
my exercise to prove it, and I did. I've had three correct guesses now,
out of almost 150,000 scans (which by itself is interesting since there
are 65K TCP ports). Here's my parting words on the subject, everything
else from me (thankfully, I'm sure) will be off list:
Imagine a house who's outside walls were nothing but doors-after-doors,
wall-to-wall, corner to corner. Most fake, and only one real one. On a
normal house, thief tries front or back door (or breaks window) to enter
house (or uses some other vector). He still has to try a key, pick it,
or bust down the correct door when he finds it. My plan makes it more
difficult to break in...by an additional factor of whatever number of
doors I have. I still have to lock my real door. It still has to be
hardened. But there is a greater than normal chance that I (and my
neighborhood) will notice the thief trying all doors and some other
additional security mechanism kicking in. Now, many people might not
like the look of my house(25% of my mail), but it doesn't change the
fact that it is slightly more secure for that particular vector of
attack. And if I've got an intruder (i.e. worm) that ONLY tries the
center front door every time (like 99.99% of attacks), and my real door
is located anywhere else, intruder is not getting in.
Now excuse me while I go move some doors around.
Roger
************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
*email: roger@banneretcs.com
*cell: 757-615-3355
*Author of Malicious Mobile Code: Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****
--
Yonesy F. Nuñez, ISSAP, ISSMP, CISSP, MCSE, Security+
Failed to plan?... Then plan to fail!!!
