Re: OS Detection Question

[Cameron Palmer <palmer74 () pacbell net>]

I must say I agree with the argument security by obscurity is no security at
all.  If the firewall is set up correctly any packets that don't belong
(inbound TCP, ICMP, etc)  should all be set to drop.  Don't reply to
anything that wasn't already established by a connection from the inside.
Stateful inspection is the key.  I certainly would not like OS masking, I
think it is crap protection, kinda like using identd.  Finally, the least of
your problems is the person that knows nothing about your systems, because
most attacks come from inside.

Moreover, the problem with obscuring information as a form of protection,
(passwords are an authentication method not the same) is that they give you
a false sense of security.  You'll list off your security measures and say
we're lying about the OS type, and how is it your OS masking hasn't
introduced a new problem.  Face it, most Firewall/System Administrators have
been doing this for years and know how to harden a system and shut off any
troublesome features of an OS.  SANS puts out some good OS hardening
cookbooks you might enjoy, also O'Reilly has several books on the subject.

Cameron.

> From: "Mr. Man" <mrman () darkside org>
> Date: Thu, 04 May 2000 12:45:02 -0500 (CDT)
> To: Saint skullY the Dazed <skully () straw drpepper org>
> Cc: John Turner <john () diamondstar net>, nmap-hackers () insecure org
> Subject: Re: OS Detection Question
>
> On Wed, 3 May 2000, Saint skullY the Dazed wrote:
>
> > There are patches to do this. My question is *WHY*. Why do you want to
> > mask your OS? It will provide you no extra protection. If someone wants
> > to get into your machine, having the nmap -O show up with a different OS
> > or not matching an OS is not going to fool them for long. Why not instead
> > apply your time and effort into actually securing the box, instead of
> > just obscuring it. Security through obscurity is not an effective security
> > measure (For long).
>
> While the security through obscurity argument is normally an appropriate
> one, it's somewhat bullshit in the context you are using it in here.  I
> can think of several reasons why masking information, like the OS on a
> machine, wouldn't be a bad part of ones security policy.  I'm sure your
> root password is obscured, right?  What about your firewall policies?
> What about the accounts on your machines?  Obscurity does have a place in
> security, even if more work by an attacker would provide the information
> needed.  If you increase the amount of work an intruder has to go through
> before he knows for sure what he's up against, you increase the amount of
> time it takes for him to gather information, and possibly even have a
> better chance of catching him before he does anything if he triggers a few
> alarms in his/her gathering process.
>
> Maybe Mr. Turner is asking because of a firewall that will have no ports
> open to the outside.  Masking/blocking OS detection/fingerprinting would
> make it very hard for an intruder to figure out what type of firewall it
> was, and would mean he/she'd have to try every trick in the book to get
> past it instead of saying "Ok, this is a Linux firewall running IPChains
> and I can get past it by doing this..."
>
> It's when obscurity (like your password hash being a simple XOR
> instead of something more secure like MD5, blowfish, etc.) is your only
> form of security that it's a Bad Thing(tm).
>
> And the answer to '*WHY*' is the same reasons we hackers do what we do...
> We do it because we can, and someone told us it either can't be done or
> isn't a good idea.
>
> > At the very least, close all ports you're not using, check to see if anything
> > you are running has any known vunerabilities, and possibly even stick a
> > firewall box between the machine and the hostile network.
> >
> > -skullY
> __
> joseph
>
>
> --------------------------------------------------
> For help using this (nmap-hackers) mailing list, send a blank email to
> nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).