Re: DNS Names for external services

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 13 Apr 2010, Behm, Jeff wrote:

> Just curious, what is your opinions of the security vs. ease of use trade-offs on putting DNS entries in (vs. making 
> people know/use an IP address) for services you expose to the Internet.

I've said this for years, but it bears repeating:  Obsucrity reduces the 
incidence of attack, not the success rate.

> For example, 
>
> webmail.companynamehere.com for your webmail service
>
> www.companynamehere.com for your web site
>
> The two above are typically common and don't cause me much concern. What about this next one?
>
> vpn.companynamehere.com for your employees to access your company's VPN server
>
> It's this last one that really begs the question. Should I just as well use the name 
> "attackmehere.companynamehere.com" rather than vpn.companynamehere.com. I searched around on the Internet, but 
> couldn't really find pros and cons...
>
> Just looking for opinions. There are no "right" answers ;-)

What's a bigger burden, your support costs or your security costs?  If 
your VPN is attackable, because of weak userid-passwords or other flaws, 
it'll be attacked sooner or later- if you've done your job, then flaws 
won't be exploitable and the name doesn't matter- if you've done a poor 
implementation or selection job, then all you're doing by hiding is 
postponing the inevitable.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
           Moderator: Firewall-Wizards mailing list
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards