Blocking version information

Bill Larson wllarso at swcp.com
Mon Jun 20 16:05:09 UTC 2005


On Jun 20, 2005, at 9:04 AM, Barry Finkel wrote:

> I would assume that most of the script users would follow path 2),
> as it is finds more exploits more quickly than path 1).  If this is
> the case, then why hide the version number if the script users do not
> use that version number?

I completely agree that trying to hid the version information of the 
copy of "named" is futile, but there is one other side.

There are many "security" checks that simply report that the version 
number is available and that this is a "security issue".  Often these 
checks are performed by an outside organization that is being paid for 
by management, and management isn't going to listen to philosophical 
arguments or logic or even facts.  What these consultants say WILL be 
implemented no matter what.

So, this is an argument that I will not take on.  I know that this 
version information will NOT "secure" a system, and in fact it may make 
troubleshooting more difficult, but management says to hide the version 
information and I will do it.  Hiding of version information appears to 
be SOP for the security people and "security" is a magic word.

When discussing this issue with the security people, they are generally 
inflexible.  At best they will admit that this doesn't provide any 
"security" but that this is simply a common security practice.  At 
worst, they will quote someone else saying that this is a "good thing", 
someone else that I completely respect like Cricket Liu in "DNS & BIND" 
(4th edition, pg 313-314), and Rob Thomas in "Secure BIND Template" 
(http://www.cymru.com/Documents/secure-bind-template.html).

All I am saying is that even though I completely agree with you that 
hiding the version number of "named" that is currently running does NOT 
provide any additional security, I will comply with my management 
telling me to hide the version because some "security" person told them 
that this must be done.  It is not worth arguing about.  The idea is 
too deeply entrenched to fight.

Bill Larson



More information about the bind-users mailing list