QoTW #42: Would publishing a network diagram make the network less secure?

2013-01-25 by . 3 comments

Post to Twitter

I chose this week’s Question of the Week, saber tabatabaee yazdi‘s “Would publishing a network diagram make the network less secure?” because this is a point which seems to be often misunderstood.

Saber asked this question because he had come across various websites designed to let people share their network diagrams and designs in order that others can comment on them and provide guidance and he wondered what the risks would be from this.

As an example, this diagram from www.ratemynetworkdiagram.com provides IP addresses, host names and even descriptions:

AJ Henderson provided the very valid comment that security through obscurity is not security, but admits that any network will have some weaknesses, and avoiding giving this information to a potential attacker is probably advised.

My answer is taken from the experience of managing many hundreds of penetration tests. My take on it is:

having a map helps me target my attack, avoiding possible sensors, honeypots etc and aiming at high value targets or sources of information. This can speed up an attack immensely, reducing the defender’s chance of preventing it.

But the value from these sites is that you can have obvious mistakes pointed out to you – peer review can be a very valuable thing. So how can you do that safely?

To reduce risk, some steps you can take are:
  • remove addresses, function titles etc
  • only include sections of the network
  • post under an anonymous profile
  • include fake network sections

An attacker will still get information, but it hopefully won’t be enough to let them navigate your entire network.

Liked this question of the week? Interested in reading it or adding an answer? See the question in full. Have questions of a security nature of your own? Security expert and want to help others? Come and join us at security.stackexchange.com.


Subscribe to comments with RSS.

  • Richard says:

    would i look at your crappy diagram and use it to break your network?!… no, firstly you haven’t even begun to tell me the stuff I need, software running, firmware versions, os version, no i think me and most of the rest of the hacking community will stick to nmap,

    I am more interested in the software running on your network

    admittedly the target server to DOS, this is a non-publicly facing back end server? So if I want to DOS you I can keep my resource usage to a minimum by targeting that IP, I think this is likely something we would have been able to determine.

    • Mike says:

      You do realize the architecture behind the diagram, correct? It is a virtual environment, so what information would be gained by DoS of the virtual host? If your goal is merely to be a nuisance by bringing down the entire environment, then more power to you. Wouldn’t it make more sense to target a guest VM that actually holds useful information such as the numerous exchange servers or loan domain controller?

  • Shalin says:

    I draw these kinds of network diagrams and I know how important they are to understand network concepts. Its a great article done by you and i’m sharing this right away!