24

I've been told in the past that you should never give out the host names of computers on your network. I can't think of any reason why this would be the case.

Could someone tell me if they should be considered sensitive information and if so, why?

Jake Nelson
  • 345
  • 3
  • 8
  • 1
    possible duplicate of [Would publishing a network diagram make the network less secure?](http://security.stackexchange.com/questions/24940/would-publishing-a-network-diagram-make-the-network-less-secure) –  Oct 04 '13 at 02:08

3 Answers3

18

Two reasons I can think of:

  • Attackers will know which servers are more valuable to attack. e.g. TEST_BOX_04 vs DB_BACKUP_02
  • Attackers will have better idea of the topology of your network: How many servers you have; which other servers probably exist because semantic implication (host03 implies host01 and host02); what style of application stack you have (eg. web_app_server implies 3-tier; cloud_proxy may imply 4-tier); and which company assets are being allocated dynamic vs static IPs (valuable assets tend to have static IPs)
LateralFractal
  • 5,143
  • 18
  • 41
  • can you explain the common practice of publishing username@hostname in public keys? https://security.stackexchange.com/questions/50880/should-i-publish-my-public-ssh-key-with-userhostname-at-the-end – lofidevops Feb 17 '14 at 17:05
  • 2
    The comment convention of `username@hostname` in SSH public keys is used to organise multiple keys in an clear-cut fashion. The usual trade-off of _security vs convenience_; as strictly speaking this public key convention does reveal internal network topology and which staff to social engineer. Providing your wallet software doesn't rely on this convention (some may), an alternative would be a context-free description like you might use in conversation with a visitor. e.g. _"Access to auditing on database server"_ – LateralFractal Mar 06 '14 at 06:20
9

Firstly, it would be nice to define "give out". Not publish on external web sites? Internal web sites? Not put internal hosts into external DNS? Not create PTR records for? Not create A records for? You're asking a subtle cost-benefit question, and it's important to know the cost as well as the benefit.

The short answer to your question is, the issue people worry about is when:

  1. The hostname provides information that might benefit an attacker
  2. The information is available to potential attackers

When might information benefit an attacker? When it tells them what's attackable on a box. As @LateralFractal points out, "DB" in a hostname makes it more interesting than "DEV" or "TEST". If the attacker has access to (say) port 3306 over the network, then they probably would have figured out it's a DB anyway. On the other hand, if all they can access is port 80/443, and the name of the box is "MYSQLDB01", then that might guide them to the sort of web-based SQL attacks that will work with MySQL in preference to other database servers.

What I'm trying say is that it's a very nuanced judgement. And in my opinion, the practical value of hostnames is usually enough to outweigh most obfuscation or limitation upon functional DNS data. It's more important to help people do valid work than it is to try to discourage attackers who most likely have other methods of performing the same reconnaissance.

Outlook Web Access is a great example. By definition it is commonly exposed to the Internet without IP restrictions, allowing anybody to poke at it. Is there any security added by not to setting up valid forward and reverse DNS records for "owa.example.com" or "webmail.example.com"? No, because anyone who can go to port 443 - which is everyone - is going to get greeted by a welcome page that screams (either visually or with HTTP headers) that it's Outlook Web Access. You don't gain anything by obfuscating or limiting access to the name there.

On the other hand, if I have a server that needs to be on the Internet but I'd prefer not to advertise it ("backend-auth-proxy.example.com"), I'll name it Enterprise. Tardis. Klaatu. The sort of generic geeky system administrator-chosen name that doesn't stand out from the million other boxes like it :) Hide things in plain sight rather than trying to limit access to names.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • "give out" = Handing names to third party companies either in logs or via email for the purposes of troubleshooting software and/or networking issues. I'm not posting them on Google+ or anything. – Jake Nelson Oct 04 '13 at 04:31
  • 1
    I agree. The network topology should be well known within the organisation. Using unique but uninformative hostnames means that unless the entire topology document is leaked, the names shouldn't mean much if anything. I've seen servers named after moons and asteroids for example. – LateralFractal Oct 04 '13 at 04:33
5

In addition to Lateral's answer, you can't guarantee your hostnames wont be used in another unforeseen way. Certain protocols require the correct hostname to work (NTLM, and possibly kerberos). If an attacker doesn't have the IP addresses, an external attacker can use the hostnames to perform attacks. A lot of times web application attacks will get you inside the firewall, but it can be tough to find a listening host, especially if you don't know their addressing scheme.

Alex Lauerman
  • 445
  • 4
  • 8