Earlier today on Twitter, Tom Hollingsworth (@networkingnerd) raised the subject of naming conventions. He’s right that having something in the device name that clues you in to where it’s located is really helpful when you’re troubleshooting.
But wait, that’s a form of information disclosure, and some evil h4x0r could use that, plus any other devices they find, to map out your network. So is this good or bad?
It all depends how paranoid you are. As Tom observed, does knowing that a server is in Florida somehow make it more vulnerable? No, of course not – you will likely try to compromise a server the same way regardless of where it’s located. On the other hand, if you know that the company’s main data center is in Florida, perhaps that knowledge makes it a more desirable target, and helps an attacker focus their efforts and gain access to core infrastructure more quickly.
How about if your servers also identify what they do? If you know which are database servers, which are web servers, and which are DNS servers, say, does that also give an attacker information that helps them find their way around your infrastructure? Perhaps hacking a DNS server will reveal zone files that allow a hack to enumerate your entire infrastructure? Or maybe it won’t.
So if we don’t want to use geographical or service naming, what do you do? The classic starting point for many smaller companies has servers using cute names; for example perhaps all the servers are named after Disney characters, Star Trek characters or maybe planets and stars. This is sweet while you have relatively few servers, but frequently scales badly (it’s easy to run out of names). For a new employee, learning that Mickey is the AD Domain Controller while Minnie is the web server can take some time and may slow them down until they’re familiar with the environment. But as there are more and more servers brought up, remembering which servers do what gets even harder.
I’ve seen a hybrid naming scheme used before, where all the web servers were Disney characters, all the AD servers were named after characters from the HitchHikers’ Guide To The Galaxy, and so forth. That worked up to a point, but when I spoke to people it was clear that they had to take an extra second or two to hear the server name, figure out which type of name it was, then translate that to its position in the architecture.
The most interesting naming scheme I’ve come across – in a couple of places now – involves using random names for all servers; typically dictionary words assigned with no apparent sequence. It’s a little like giving every server a name based on a random number generator, only instead of a sequence of digits, the names are at least pronounceable and thus a little bit more memorable. Unsurprisingly, in each place I’ve seen this, the policy has come as a directive from the Security team. I can’t honestly imagine trying to troubleshoot a network where the AD Domain Controllers are named BILLY, STARBASE, ALSATION, BANANA and ELEPHANT, while the web servers are TIGER, ELEMENT, BIZARRE, POSSE, DINNER and GELATINE. How on earth do you remember those?
Help Me Out
I am really curious to hear from you all what the best naming convention is. Personally I think the abstract naming is just counter-productive, but I’d love to hear from a security professional as to why that might be a really great idea. Could you live in an environment with abstract naming?