nanog mailing list archives
Re: Update to BCP-38?
From: William Herrin <bill () herrin us>
Date: Tue, 8 Oct 2019 10:03:16 -0700
On Tue, Oct 8, 2019 at 6:51 AM Rich Kulawiec <rsk () gsp org> wrote:
On Tue, Oct 08, 2019 at 01:35:16PM +0100, Mike Meredith via NANOG wrote:You've ignored step 1 - identifying critical information that needs protecting. It makes sense to protect information that needs protecting
and
don't lose sleep over information that doesn't need protecting. Not
many of
us are planning an invasion of a Nazi-infected Europe any time soon.We are heading toward a restatement of Kerckhoff's principle/Shannon's
maxim,
the latter of which can be paraphrased as "design systems assuming that your adversary will know as much about them as you do".
They aren't mutually exclusive concepts. A strong security architecture has multiple layers an adversary must penetrate. No layer has to be sufficient on its own, it just has to reduce vulnerability more than it increases cost. Limiting the server banner so it doesn't tell an adversary the exact OS-specific binary you're using has a near-zero cost and forces an adversary to expend more effort searching for a vulnerability. It doesn't magically protect you from hacking on its own. As you say, your security must not be breached just because the adversary figures out what version you're running. But viewed as one layer in an overall plan, limiting that information enhances your security at negligible cost. That's security smart. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- Re: Update to BCP-38?, (continued)
- Re: Update to BCP-38? Fred Baker (Oct 03)
- RE: Update to BCP-38? Keith Medcalf (Oct 03)
- Re: Update to BCP-38? Valdis Klētnieks (Oct 03)
- Re: Update to BCP-38? William Herrin (Oct 04)
- RE: Update to BCP-38? Keith Medcalf (Oct 04)
- Re: Update to BCP-38? Mike Meredith via NANOG (Oct 08)
- Re: Update to BCP-38? Rich Kulawiec (Oct 08)
- RE: Update to BCP-38? Mark Collins (Oct 08)
- RE: Update to BCP-38? Keith Medcalf (Oct 08)
- Re: Update to BCP-38? Mike Meredith via NANOG (Oct 09)
- Re: Update to BCP-38? William Herrin (Oct 08)
- RE: Update to BCP-38? Keith Medcalf (Oct 08)
- Re: Update to BCP-38? Valdis Klētnieks (Oct 08)
- Re: Update to BCP-38? Mark Collins (Oct 10)
- RE: Update to BCP-38? Keith Medcalf (Oct 08)
- Re: Update to BCP-38? Rich Kulawiec (Oct 09)
- Re: Update to BCP-38? Fred Baker (Oct 03)
- Re: Update to BCP-38? Stephen Satchell (Oct 03)
- Re: Update to BCP-38? Fred Baker (Oct 03)