[conspire] Perimeter vs. host-edge security (wqs: MIMO wireless cards cheap at Fry's)

Tony Godshall togo at of.net
Tue Dec 13 02:29:27 PST 2005


According to Rick Moen,
> Quoting Tony Godshall (togo at of.net):
> 
> > I always assume Wifi is insecure.  Iptables shields up and all
> > transfers via ssh.  Machines don't even ping.  And even a little
> > security by obscurity on top of that- sshd on a nonstandard port,
> > unique per host (which is also handy when port-forwarding from the
> > router- ssh to multiple hosts from single ip with a little simple
> > $HOME/.ssh/config magic).

...

> Now, I'm not trying to be critical of your approach, Tony, but just
> wanted to call your attention to a security model that differs
> conceptually from yours.  (You probably have a physical layout with an
> incoming "single IP" chokepoint that lends itself better to perimeter
> security, for one thing.)  

...

Yeah, I just use the one static IP.  I'm not sure the
philosophy differs that much... I just have more layers 
and a single IP addr.  Linux boxes are pretty secure 
without the router/firewall and the iptables, and I 
wouldn't hesitate to run them that way if I had the IP 
addrs to spare.  But I do enjoy tweaking the iptables to 
limit even the nature of the systems inside.

The whole point of running sshd with nonstandard port 
numbers started out as a convenience issue rather than a 
security issue- I wanted to be able to get to dude or sena 
or nib from the road.  But why not add a layer of security
by obscurity on top of the rest- as long as you aren't
counting on it.  Sounds like you are doing a little bit of
the same...

> We _do_ have a few monitoring and detection tricks deployed that we
> don't talk about much, but those are the only exceptions.

Say, have you deployed the tarpit module at all?  Looks 
like an altruistic thing to use on spammer-zombies and
ddos'ers (keeps them from moving onto the next victim).
 




More information about the conspire mailing list