Re: OS Detection Question

["Mr. Man" <mrman () darkside org>]

On Fri, 5 May 2000, Cameron Palmer wrote:

> I must say I agree with the argument security by obscurity is no security at
> all.  

I'm wondering where I, or anyone else, said it should be the only security
measure you take.  To quote myself "I can think of several reasons why 
masking information, like the OS on a machine, wouldn't be a bad part of
ones security policy."  Part of ones security policy, not the only part of
ones security policy.  Certainly, harden the machine.  Remove things that
aren't needed from inetd.conf,  

> If the firewall is set up correctly any packets that don't belong
> (inbound TCP, ICMP, etc)  should all be set to drop.  Don't reply to
> anything that wasn't already established by a connection from the inside.
> Stateful inspection is the key.

Use a firewalk like methodology combined with Nmap and see if you can't
start mapping out what's behind the firewall.  A firewall is not a
panacea, and neither is any one step solution to security.  That's why a
comprehensive combination of plan and policy are the key.

> I certainly would not like OS masking, I think it is crap protection,
> kinda like using identd.  Finally, the least of your problems is the
> person that knows nothing about your systems, because most attacks come
> from inside.

I'd personally say inetd is crappier than OS masking.  And as far as
internal attacks go, I'm sure someone could successfully penetrate a
system given enough time, energy, and resources from the inside just as
they could from the outside.  I'm also confident that in the event they
do compromise a machine, I have enough IDS, auditing, anomaly detection,
and backup systems/equipment in place to detect such things, as well as
doing everything humanly possible to harden the OS to protect against
intrusion.  There are easy things to break in to, but those are the 
honeypots and that is what they are there for.

> Moreover, the problem with obscuring information as a form of protection,
> (passwords are an authentication method not the same) is that they give you
> a false sense of security.

Passwords are information.  Make your password a dictionary word or let
someone else know your password and your authentication credentials are
compromised, and so is your account security.  Hence, my reference to
obscurity.  I've broken into machines and networks with nothing more than
physical access to a keyboard and some clueless user's username and
password stuck to the bottom of his keyboard on a post-it note.  And  
there is nothing like using an unpassworded guest account remotely to
compromise a system.  Data security, network security, system security,
computer security, or whatever else you want to call it is really just
information security.

> You'll list off your security measures and say we're lying about the OS
> type, and how is it your OS masking hasn't introduced a new problem.

What problems might it introduce?  So far I've read of none associated
with either the Linux patches, or with dropping packets with odd
combinations of TCP header flags set.  This is not like just turning off
all ICMP and watching path MTU discovery break.

> Face it, most Firewall/System Administrators have been doing this for
> years and know how to harden a system and shut off any troublesome
> features of an OS.

I've found this to be the exception, not the rule.  If it weren't, I
wouldn't enjoy my job so much.

> SANS puts out some good OS hardening cookbooks you might enjoy,

Yes, they do, but more people need to use them.  I was a beta tester for
the Solaris hardening script.

> Cameron.
__
joseph