Re: an anternative to port-knoking using the OpenBSD pf only

From: poplix (poplix@papuasia.org)
Date: Mon Feb 27 2006 - 18:09:25 EST

• Next message: Jeremy Saintot: "Re: Programming skills for Pen Testers"
• Previous message: offset: "avaya mms default passwords?"
• In reply to: Pete Herzog: "Re: an anternative to port-knoking using the OpenBSD pf only"
• Next in thread: Pete Herzog: "Defining security measures (Was: an anternative to port-knoking using the OpenBSD pf only)"
• Reply: Pete Herzog: "Defining security measures (Was: an anternative to port-knoking using the OpenBSD pf only)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

> Easily perhaps from many internal networks. But it's much more
> difficult for an attacker to sniff it without access to either the
> client's network and the server's network.

I think a security layer must fits the anybody needs and cannot fail
only because the connecting host is not on a safe location.

>
> But it is a security layer because it makes a system harder to
> hack. How is that not a security layer?

It's not easy to define the meaning of security layer. It's not wrong
to define a security layer as "anything that increase security" but
it's not exactly correct. It's possible to distinguish between a
security layer and a security measure: a security layer is a part of
a system designed to increase the security; a security measure is any
measure we adopt to make our system safer.
Adding a firewall rule that allow access to a trusted ip only is a
security measure, the firewall itself is a security layer. I think
port-knocking is not a security layer because it plays with an
existing security layer, i.e. the firewall.
If you bind sshd on a different port every hour, probably you system
is safer, but how can you consider this a security layer? Maybe you
can call it a security measure....

> Well then it does protect the vault from rain, right? It's still
> protecting.

Ok, cellophane protects the vault against rain, but it doesn't
protect its content against thiefs ....

Maybe we can focus a new discussion on the security layer meaning....
it can be more interesting than port-knocking ;)

cheers
poplix

------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
and Response solution, leverages Cisco NetFlow to provide scalable,
internal network security.
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
Systems in the Enterprise."

http://www.lancope.com/resource/
------------------------------------------------------------------------------

• Next message: Jeremy Saintot: "Re: Programming skills for Pen Testers"
• Previous message: offset: "avaya mms default passwords?"
• In reply to: Pete Herzog: "Re: an anternative to port-knoking using the OpenBSD pf only"
• Next in thread: Pete Herzog: "Defining security measures (Was: an anternative to port-knoking using the OpenBSD pf only)"
• Reply: Pete Herzog: "Defining security measures (Was: an anternative to port-knoking using the OpenBSD pf only)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:35 EDT