[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Comments on: draft-ietf-opsec-infrastructure-security-01

To: opsec@ops.ietf.org
Subject: RE: Comments on: draft-ietf-opsec-infrastructure-security-01
From: James.Gill@verizonbusiness.com
Date: Thu, 12 Apr 2007 07:48:09 -0400 (EDT)
Cc: Warren Kumari <warren@kumari.net>, "Darrel Lewis (darlewis)" <darlewis@cisco.com>
In-reply-to: <60C4A248E730F249990993E3B9BD44D803640121@xmb-sjc-218.amer.cisco.com>
References: <869E61E9-B12C-4F6D-A1A7-1E635051DF02@kumari.net> <60C4A248E730F249990993E3B9BD44D803640121@xmb-sjc-218.amer.cisco.com>
Reply-to: James.Gill@verizonbusiness.com

On Wed, 11 Apr 2007, Darrel Lewis (darlewis) wrote:

Warren Kumari wrote:

Hi,

Thank you for writing this --  I feel that having this
published would go a long way towards helping people secure
their infrastructure -- all to often operators are not really
aware of the improtance of this, or, if they are, are not
sure where to begin.


[..snip..]

6.5.  Further obfuscation
"Should they find access to the infrastructure equipment in
some way." -- fragmented sentence.
Possibly it is just me, but I feel that this is very much
security through obscurity and is more likely to give a false
sense of security than actually prevent exploits -- I also do
not know of anyone who does this (although I suspect that
wouldn't advertise if if they did), so I do not think it
sounds as a Best CURRENT Practice.


I tend to agree with you here. I'll defer to my co-authors working in
providers who suggested this section to see what they think. James?
Peter?

Thanks for picking up on that sentence fragment. The word "Should" should notbe capitalized there.

The section, called "further obfuscation" is **exactly** security throughobscurity. It offers a strategy of hiding services that can foil automatedtools (eg, worms) from attacking weaknesses in those services. I think thatby using explicit warning language like "...not protect you from..." and"...this does nothing to restrict..." the point is clear. Like the rest ofsection 6 -- in fact the whole document -- this paragraph only exists to befood for thought as operators plan strategies to make their networks safer.That said, I would agree with you that it is not widely employed and it mightbe a semantic stretch to say that it is a best current practice.


I'll note that this section was added after comments by an early reviewer.


Thanks again for the detailed comments, it is very much appreciated!

-D


Yes!  Very appreciated.


-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
--gill  | Tatu Ylonen, SSH 1.2.12 README:  "Beware that the most effective
        | way for someone to decrypt your data may be with a rubber hose."

References:
- Comments on: draft-ietf-opsec-infrastructure-security-01
  - From: Warren Kumari <warren@kumari.net>
- RE: Comments on: draft-ietf-opsec-infrastructure-security-01
  - From: "Darrel Lewis \(darlewis\)" <darlewis@cisco.com>

Prev by Date: RE: Comments on: draft-ietf-opsec-infrastructure-security-01
Next by Date: draft-ietf-opsec-infrastructure-security-01 - Infrastructure Hiding
Previous by thread: RE: Comments on: draft-ietf-opsec-infrastructure-security-01
Next by thread: draft-ietf-opsec-infrastructure-security-01 - Infrastructure Hiding
Index(es):
- Date
- Thread