Blocking version information
wllarso at swcp.com
Mon Jun 20 16:05:09 UTC 2005
On Jun 20, 2005, at 9:04 AM, Barry Finkel wrote:
> I would assume that most of the script users would follow path 2),
> as it is finds more exploits more quickly than path 1). If this is
> the case, then why hide the version number if the script users do not
> use that version number?
I completely agree that trying to hid the version information of the
copy of "named" is futile, but there is one other side.
There are many "security" checks that simply report that the version
number is available and that this is a "security issue". Often these
checks are performed by an outside organization that is being paid for
by management, and management isn't going to listen to philosophical
arguments or logic or even facts. What these consultants say WILL be
implemented no matter what.
So, this is an argument that I will not take on. I know that this
version information will NOT "secure" a system, and in fact it may make
troubleshooting more difficult, but management says to hide the version
information and I will do it. Hiding of version information appears to
be SOP for the security people and "security" is a magic word.
When discussing this issue with the security people, they are generally
inflexible. At best they will admit that this doesn't provide any
"security" but that this is simply a common security practice. At
worst, they will quote someone else saying that this is a "good thing",
someone else that I completely respect like Cricket Liu in "DNS & BIND"
(4th edition, pg 313-314), and Rob Thomas in "Secure BIND Template"
All I am saying is that even though I completely agree with you that
hiding the version number of "named" that is currently running does NOT
provide any additional security, I will comply with my management
telling me to hide the version because some "security" person told them
that this must be done. It is not worth arguing about. The idea is
too deeply entrenched to fight.
More information about the bind-users