Administrators should be encouraged to use naming schemes that do not give away information about the devices. For instance, let's say you used Nmap-Fu or DNS-Fu to pull the hostnames and found that the machines are labeled as follows:

This would instantly give you an idea of which systems you would want to target first. A better method of naming could be along the lines of some tokenization such as ST1 = DNS server or that all development servers have 71 as part of the name. This would make things more difficult to understand for an intruder and, at the same time, would allow a valid administrator to quickly identify assets for what they are.

Frequently, administrators can choose to use port knocking to avoid port enumeration attempts. The concept can be as simple as requiring someone to connect to a secret port prior to connecting to a valid management port such as SSH.

A more advanced usage of port knocking would be to set up a telnet server and have your host-based firewall fire off rules that temporarily block an IP from connecting to any port on the system once it touches the telnet port.

Although these do not provide the perfect security that vendors often claim, a properly configured IDS (host-based or network-based) can make a big difference in detecting enumeration attempts. These devices should be used as part of the corporation's in-depth defense strategy and should be properly managed, monitored, and updated to provide the most benefit to the security posture of the corporation in question.

Strategically placed systems that issue alerts when accessed can be used as an early warning system similar to using a perimeter motion detector in physical security. An administrator can set up a system on a segment that automatically sends alerts or initiates certain actions when devious connection attempts are made.

Administrators should avoid trying to "sweeten the deal" by opening up as many ports as possible on this system, as this may give away the purpose of the system. One item of note is that, if such systems are used in the environment, it is critical that they are maintained with the same diligence as other systems on the network. Having an unpatched system on your network would definitely make an inviting target for an attacker; however, giving said attacker a quick method of gaining a foothold within your network is NOT a good idea. Once a pivot point has been established, the attacker's job is much easier, and by the time you can respond to your trigger point alerts, the attacker may have already set up backdoors into your network on other systems.

Ensure that the administrators use SNMP in a secured manner. As previously demonstrated, SNMP can be used to gain a wealth of knowledge, and in the hands of an attacker, this would basically become the end game. SNMP should be using the latest security mechanisms available such as encryption. Use the latest version of SNMP that is available if you have vetted it to be secure. It should also be locked down and restricted to only be accessible to certain hosts. Most important is that the public community should be removed.