|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: TCP-ACK vulnerability (was RE: SSH on the router)
On Thu, 10 Jun 2004, joshua sahala wrote: > On (10/06/04 15:26), Christopher L. Morrow wrote: > > > > dns is your friend here :( People love to name things such that they are > > easy to remember. cat5500.floor2.build3.you.com > > > > only if the dns/security/network/whatever admins are stupid enough to s/stupid/careless/ || s/stupid/unknowing/ || s/stupid/<pick your favorite reason why users do dumb things>/ > let that zone be queried on their public facing dns servers. bind > allows for the filtering of queries, so your noc/engineering/etc address > blocks can query that zone (if it requires that there is an external dns > server for that zone). granted this is only obscuring things a bit, it right, and as Sean pointed out to ... Alexei earlier: "Worms do this for you" (maybe he said port scanners/banner-grabbers) point being obscurity isn't really buying you anything :( > isn't really all that different that having a (semi-)seperate management > network. > if you don't have it set up like this, or don't know how, then buy > dns/bind (or an equivalent book) and/or hire someone who does. Sure, you know this, I know this, Sean knows this and apparently Alexei knows this (other present company of list included probably as well) but Joe SOHO Networker doesn't necessarily know this, nor does his corporate 'security/secretary' person know this :( (or even have the power to change it most times). So, yes, if you think ahead, plan for the worst and make security part of your initial design you are ok. What percentage does this? I'd bet less than the AV/Upgrade percentages :( -Chris
|