Well said Jay, I would also add that network scanners, ala NMap or Nessus, are impartial when it comes to the server naming convention subject: they just need IP addresses and open ports.
Whether you point these scanners to 192.168.0.1 or mailserver.wanker.foo the open ports will tell the story! Kent Freeman MCSE Linux Advocate -----Original Message----- From: Jay D. Dyson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 4:46 PM To: Security-Basics List Subject: Re: Naming Conventions of Servers and Security -----BEGIN PGP SIGNED MESSAGE----- On Tue, 5 Feb 2002 [EMAIL PROTECTED] wrote: > What is the security communities recommendation on naming servers? Is > it safe to name a server by the function the server provides? There's two vastly opposed views on server nomenclature. The first holds that server names must be meaningful to human wetware. So if you have a Sun Microsystems SPARC server running SMTP, it should be named smtp.foo.com or sun-mail.foo.com. Likewise for a Linux system running DNS (dns-slack.foo.com or ns.foo.com) and so on. Then there's the second camp that holds that no system should bear a name that describes its function; that such information aids attackers in mapping your networks for intrusion. Those people believe you should name your server something that's only meaningful to you or has no meaning at all (something like al-8723-bls.foo.com). My view lies somewhere in the middle. I believe there's no sense in obfuscating server names to the point that you need a cue card to divine what each is. That sort of obfuscation is barely a speedbump to an intruder, but it's an enormous waste of time and energy for valid users to memorize each idiosyncratic server name. Likewise, I think it's a bad idea to spell out everything on your network to the point that anyone polling your DNS would know exactly what you have and where. I personally use a mix of obvious server names (mail.treachery.net) and names that are meaningful to the user(s), but only hint at their actual purpose (sasumata.treachery.net). Bottom line: security through obscurity isn't. And the worst part is that those who rely on obscurity tend to cut corners on more meaningful security measures in the mistaken belief that no-one will ever divine what [incomprehensible.gibberish].foo.com is. Them's me thoughts. - -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- [EMAIL PROTECTED] ------<) | = |-' `--' `--' `The armed are citizens. The unarmed are subjects.' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBPGHAWLlDRyqRQ2a9AQHLBgP/b9MUKOChFqzQASUvzghueiQQ/qHZpyzG 479crEXfY8jWPCjCO9rXFnu0amU4fjCuNUPXfsNJjRSqdy63OlcLpL+Ysa6dP4j1 PahWtxuzppFtLqC3JRhoJYF2p2dhO8PrG8ft7vp+JugVd/D5KhqiEmAfkRB7MyWU pmvidboIGKM= =KDBh -----END PGP SIGNATURE-----
