[33209] in North American Network Operators' Group
Re: RFC1918 addresses to permit in for VPN?
daemon@ATHENA.MIT.EDU (mdevney@teamsphere.com)
Wed Jan 3 15:51:22 2001
Date: Wed, 3 Jan 2001 12:48:46 -0800 (PST)
From: <mdevney@teamsphere.com>
To: nanog@merit.edu
In-Reply-To: <200101030451.XAA08124@elektra.ultra.net>
Message-ID: <Pine.LNX.4.21.0101031245170.29107-100000@core.teamplay.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 2 Jan 2001, Stephen Griffin wrote:
<snip>
> are trying to make. Security through obscurity is no security at all.
All other points in this monstrous thread aside, this one is wholly
incorrect. Security through obscurity is nothing to depend on, but every
little bit helps.
Please, by all means, use a firewall, preferably several chained in an
old-fashioned bastion design. Use access lists - they're your
friend! Filter your routes, filter all packets not going to a valid
IP/port, hell block ping and traceroute so nobody can map your network,
and of course secure your servers.
But when all that's done -- still don't advertise. Security through
obscurity helps just that tiny extra bit. At the very least there will be
less logs to pore over, 'cause script kiddies don't know who you are.
