On Jan 6, 2011, at 12:54 PM, Joe Greco wrote:
Generally speaking, security professionals prefer for there to be more ro= adblocks rather than fewer. =20
The soi-disant security 'professionals' who espouse layering unnecessary mu= ltiple, inefficient, illogical, and iatrogenic roadblocks in preference to = expending the time and effort to learn enough about *actual* security (in c= ontrast to security theater) to Do Things Right The First Time, aren't wort= hy of the title and ought to be ignored, IMHO.
If it is, and the address becomes virtually impossible to find, then we'v= e just defeated an attack, and it's hard to see that as anything but positi= ve.
If we had some cheese, we could make a ham-and-cheese sandwich, if we had s= ome ham.
;>
We must face up to the reality that the endpoint *will be found*, irrespect= ive of the relative sparseness or density of the addressing plan. It will = be found via DNS, via narrowing the search scope via examining routing adve= rtisements, via narrowing the search scope via perusing whois, via the atta= ckers simply throwing more of their near-infinite scanning resources (i.e.,= bots) at these dramatically-reduced search scopes.
So, the endpoint will be found, no attack will be prevented, and we end up = a) wasting wide swathes of address space for no good reason whilst b) makin= g the routing/switching infrastructure elements far more vulnerable to DoS = by turning them into sinkholes.
That's, simply put, a poor argument. And here's why. There are numerous parallels between physical and electronic security. Let's just concede that for a moment. You put up a screen door. I've got a knife. You put up a wood door. I've got steel toed boots. You put up a metal door. I've got a crowbar. You put up a bank vault door. I (can find someone who can get) explosives. The thing is, it may not make a whole heck of a lot of sense to put a screen door on a bank's vault, or a vault door on your front screen porch. Even so, while you can increase the strength of a particular countermeasure, maybe it isn't smart to rely entirely on that one countermeasure, or even two or three countermeasures. A bank may have an armed guard, a silent alarm, video surveillance, bulletproof glass, dye packs in the tills, cash in a timelocked vault, and all sorts of other countermeasures to address specific areas of threat. Not all countermeasures are going to be effective against every threat, and there is no requirement that only one countermeasure be applied towards a given threat. Further, there's no guarantee that the countermeasures are going to be properly installed or appropriate to the task - which seems to be your objection to "soi-disant security 'professionals'" - but on the other hand, in many cases, they *are* properly installed and well considered. To say that "the endpoint *will be found*" is a truism, in the same way that a bank *will* be robbed. You're not trying to guarantee that it will never happen. You're trying to *deter* the bad guys. You want the bad guy to go across the street to the less-well-defended bank across the street. You can't be sure that they'll do that. Someone who has it out for you and your bank will rob your bank (or end up in jail or dead or whatever). But you can scare off the guy who's just looking to score a few thousand in easy cash. Making it harder to scan a network *can* and *does* deter certain classes of attacks. That it doesn't prevent every attack isn't a compelling proof that it doesn't prevent some, and I have to call what you said a poor argument for that reason. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.