Security Basics mailing list archives

RE: NAT external/Public IP

From: "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>
Date: Fri, 9 Nov 2007 13:29:55 -0600

# 1) I dislike discussions on the value of obscurity, because the
typical two parties in the discussion are often both correct.

Depends on your personal definition of "obscurity". :)

# 2) Correct: obscurity does not affect the security of a device itself.
# An unpatched Windows OS won't become more secure, in and of itself,
because you hid it in a closet with no network. The OS is still
insecure.

The server will become more secure by being disconnected. This is not
obscurity.
Obscuring the server would be to hide it in a closet of the most common
color, then painting the closet a different color.
The server is exactly as secure, but people looking for a regular
colored closet might not find it.

# 3) Correct, the risk to a device is affected in a positive way by
obscuring it.
# The risk to that Windows system is pretty low because it doesn't even
have a network cable attached to it!

Exposure to risk is affected by obscuring it. Not risk itself.
The risk of being compromised will depend on your password length or
similar.

# 4) This can also be illustrated with our age-old example of putting
SSH on an alternate port.
# This won't make the SSH daemon or user passwords any more secure, but
you will see a dramatic reduction in the number of logged brute force
attempts when it is on an odd port.
# This is of value to many security professionals, and should be labeled
a "reduction of risk."
# Sadly, many people still just call this an "increase in security"
which gets quickly mistaken.

The way I see it.
If you choose a 63 character complex password you can leave the port
number alone. However by changing it you will have fewer lines of
logfile to review. The risk of actual compromise did not get affected.
But the exposure to risk stays maxed if the port is standard.

Nick

This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged,
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please
notify the sender that this message was received in error and then delete this message.
Thank you.

Current thread:

Re: NAT external/Public IP Ansgar -59cobalt- Wiechers (Nov 04)
- Re: NAT external/Public IP PCSC Information Services (Nov 05)
  - RE: NAT external/Public IP Craig Wright (Nov 05)
    - Re: NAT external/Public IP PCSC Information Services (Nov 05)
    - Re: NAT external/Public IP Michael Painter (Nov 07)
- RE: NAT external/Public IP Dan Lynch (Nov 05)
  - Re: NAT external/Public IP Ansgar -59cobalt- Wiechers (Nov 06)
- <Possible follow-ups>
- Re: NAT external/Public IP krymson (Nov 09)
  - RE: NAT external/Public IP Nick Vaernhoej (Nov 09)
    - RE: NAT external/Public IP Craig Wright (Nov 09)
  - Message not available
    - RE: NAT external/Public IP Craig Wright (Nov 15)