For those of you that think that is simply security via obscurity I would agree with the following caveat forcing the bad guys to scan all 64k ports on a system prior to attacking to find the ssh port adds to the time it takes to compromise systems. It buys system owners time to react potentially preventing compromise. It buys ISPs time to notify compromised customers and it is fairly noisy.
I personally prefer port knocking scripts to an obscure ssh port, but this is also criticised as just another layer of obscurity. The objection to security through obscurity is an information security mantra, a recent blog post by Eugene Spafford even claims some responsibility for pushing it. Two rather different ideas are being combined under this one header though:
You can't break it because you don't know how it works
This is the one that, rightly, generates all the condemnation. No comments page on a Register article on cracked anything is complete, or even started, without slagging whoever it is off over trusting security to obscurity.
This can lead to the claim that passwords, PINs and private keys are just a special case of security through obscurity, comments pages being the fonts of wisdom that they are. This in spite of the fact that the published, peer reviewed mechanisms that the commenters are saying should have been used end up resting on a secret somewhere along the line. So secrecy and obscurity are not the same thing?
The answer is in the paper that's often claimed to contain the first statement that security should not be through obscurity, an 1883 piece on army cryptography (in french) by Auguste Kerckhoffs. It states than in a well designed cryptographic system the mechanism need not be kept secret, only the key. Which makes a clear case with regard to cryptography, but doesn't really solve the issue for many other areas where concepts of mechanism/algorithm and key don't exist. Bruce Schneier has a go at generalising the application of the idea in a piece with the obligatory, annoying references to airline security. I don't know whether he wants to make himself seem more relevant to the paranoid security environment or wants to make the issues more accessible and relevant to the public, but I really wish he'd find another source of bloody analogies and examples.
So we have a concept that started with crytography, applies quite well to cryptography needs to be squashed and stretched a bit to apply elsewhere.
You can't attack a target that you don't know is there
This comes in a couple of flavours, what the ISC post was getting at and what port knocking achieves is camouflaging services. Critiques of port knocking make much of the fact that it effectively exposes a password to anyone who is sniffing the traffic. The fact that it will defeat many automated scans and brute force attempts is given a passing mention. Considering the size and activity levels of botnets (a phenomenon more recent than the critique) this is now a must have, not a negligible benefit.
The huge scale of automated attacks shapes the approach to defence in depth too (while we're touring the hall of information security's sacred cows). Ogres and effective security have layers, like onions - or parfait. Mechanisms like port knocking are the onion sauce on the top of the parfait, they make it look unappealing to the skiddies. Below this we can have the more serious defences but if the automatons and scripts are getting to the layer that we're logging and anaylsing we're going to get overwhelmed and it's going to give serious attackers a lot of noise to hide in. Viewing layered security as dealing with threats of increasing seriousness also reduces risk of defence in depth giving a false sense of security. Obscure ports, port knocking and a whole raft of similar approaches will keep the masses at bay, allowing us to deal with the more focussed attackers. They won't help against the more focussed attackers though.
The more contentious side of this idea relates to vulnerability disclosure, which is what Spafford's post is about. The issue is broader, covering general refusal to fix vulnerabilities in the hope that they won't be found, but it's the interaction between researchers, vendors, malware authors and the public that really gets the emotions going. There's not really much more to be said here: Do vendors need pushing? Probably; Do researchers jump the gun in publicising? Sometimes; Does involving lawyers help anyone? No.
Security through obscurity is a broad concept, camouflage is a useful, natural defence but relying on no-one figuring out that you have weak points is unrealistic.
0 comments:
Post a Comment