Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
4 edits |  Is Portknocking "Real" Security?
In a recent article of mine I put forth that obscurity can be used as a layer to bolster true security in a useful way. What follows is a thread on Reddit.com with someone arguing the opposite.
I'd love to hear what you guys think about these two viewpoints, I'm specifically interested in those that agree with him and not me.
[ Reddit.com: Portknocking Security Debate ]
(Edit: I should mention that when I discuss portknocking as a security layer, I mean that as something ON TOP OF decent, existing security. SSH is my preferred example.)
--
dmiessler.com -- grep understanding knowledge |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| The concept of portknocking from the day's it was proposed using firewall logs changed into a "secret knock" thingie is like giving your neighbor a key to you cottage and trust him to protect it. Not only protect the "key"..but also your place. You do not know where he will store the key muchless when "he" enters your cottage if it was really his muddy feet in the buffer overflow.
If you are looking for peace of mind Security..the weighted scale is against portknocking..but if you are just after a new whistle and bell "feature" then go for it..it does not ADD anything to real security..it just throw another problem into the equation...no matter how secure you think you are doing it.
I will be standing in the hallway 
»www.songlyrics.com/song-lyrics/O···534.html
"Knock three times
On the ceiling if you want me.
Mmm-hmm, twice on the pipe
If the answer is no."
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
2 edits | Your analogy is horribly flawed, Name Game. Nobody gets a "key" to the cottage. A "key" implies that a successful portknock yields a shell via SSH. It doesn't. All a successful portknock gives you is the ability to try one's hand against standard SSH security. No security layers are removed from the equation; one is just added.
Do you still think this is a problem?
--
dmiessler.com -- grep understanding knowledge |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
 ·RoadRunner Cable
| reply to Daniel
It's more like a prohibition-era speakeasy with a secret knock. Bang on the door like a policeman, and no one ever opens the little sliding window and asks for the password. 
At the very worst, it's like having one extra password to enter. What could be so bad about that, aside from the annoyance factor?
Of course, physical analogies are somewhat flawed anyway. A door can be knocked down. A closed port (usually) can't be.
--
Think outside the fox...Seamonkey |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| said by sivran  :At the very worst, it's like having one extra password to enter. What could be so bad about that, aside from the annoyance factor? Actually, once you install the software it can become pretty much transparent, so the "knock" can take place without you being aware of it (and even use cryptography to do so).
The end result is that you just login as normal regardless of where you are, while the rest of the world sees nothing whatsover. To them there might as well not even be a service running.
--
dmiessler.com -- grep understanding knowledge |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Daniel
I sure do..the ports are closed for a reason..having someone playing around with the pin tumblers is not an option. Security is best served out in the open if any transactions are going to be done..and YOU control the transaction.. not by obscurity. You did not add a security layer..you just look for one to protect a port I keep closed.
Stealth is silly also..the word is closed.
$$^D
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| said by Name Game :You did not add a security layer..you just look for one to protect a port I keep closed. I think you missed the point; we're talking about people who 1) have a need to run the daemon, and 2) require connections from a dynamic range of source addresses.
So how do you propose to allow only certain people to come to your gate (they still have to login), while presenting a completely firewalled appearance to the rest of the world?
If this isn't "real" security, what do you propose as an alternative? And don't mention anything involving SSH itself, because that's already being done. BEYOND SSH itself.
--
dmiessler.com -- grep understanding knowledge |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to sivran
said by sivran :It's more like a prohibition-era speakeasy with a secret knock. Bang on the door like a policeman, and no one ever opens the little sliding window and asks for the password. At the very worst, it's like having one extra password to enter. What could be so bad about that, aside from the annoyance factor? Of course, physical analogies are somewhat flawed anyway. A door can be knocked down. A closed port (usually) can't be. Might want to read Matt Doyle's undergrad thesis..
»portknocking.sourceforge.net/
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Daniel
said by Daniel :said by Name Game :You did not add a security layer..you just look for one to protect a port I keep closed. I think you missed the point; we're talking about people who 1) have a need to run the daemon, and 2) require connections from a dynamic range of source addresses. So how do you propose to allow only certain people to come to your gate (they still have to login), while presenting a completely firewalled appearance to the rest of the world? If this isn't "real" security, what do you propose as an alternative? And don't mention anything involving SSH itself, because that's already being done. BEYOND SSH itself. The alternatives are not available for discussion in this forum.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | said by Name Game :said by Daniel :said by Name Game :You did not add a security layer..you just look for one to protect a port I keep closed. If this isn't "real" security, what do you propose as an alternative? And don't mention anything involving SSH itself, because that's already being done. BEYOND SSH itself. The alternatives are not available for discussion in this forum. Why? Are they too 133t?
--
dmiessler.com -- grep understanding knowledge |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | reply to Name Game
.. |
|
SpannerITWks
Premium
join:2005-04-22
| reply to Daniel
I think it makes perfect sense to have as many obstacles in the way to prevent intrusions, why would anyone object to that !
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| said by SpannerITWks :I think it makes perfect sense to have as many obstacles in the way to prevent intrusions, why would anyone object to that ! Spanner »lists.netfilter.org/pipermail/ne···824.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
1 edit | reply to Daniel
I think portknocking is a neat idea for certain cases of always-on daemons like SSH. The key point to note is that the server should not send any response to the portknock.
It should be noted that the only real benefit of port knocking is in turning remotely accessible daemons on or off remotely, and in so doing so portknocking can completely remove large elements of risk involved in having daemons remotely accessible for extended periods of time.
Turning the remote daemon on only when it is needed means that any exploitable vulnerabilities in the daemon itself can only be exploited whilst the daemon is running. If the time spent utilizing this daemon is relatively short, then this decreases the risk of this daemon being exploited by some arbitrary amount.
The key questions are:
For what amount of time is it necessary to utilize this remotely accessible daemon (annually)?
According to your pattern of behaviour or your risk ?profile?, by how much will decreasing the amount of time a remotely accessible daemon is available decrease the risk of exploitation of a vulnerability, if one is present in that daemon?
(You'll notice I haven't mentioned anything about sniffing the portknocking sequence. Things like S/KEY could be used, but it seems like a waste of effort considering all a potential hacker has gained is the ability to turn a remote accessible daemon on or off.) |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Daniel
There is a far strech from theory to implemation much less actual use. I posted a link above for anyone who is serious about it..I will not go into details what others have tried in the real world.. it is priority info...but todate Portknocking is NOT real Security.
For any interest you can start at the link below..
***************************
> >First, port knocking as opposed to single packet strategies have some
> >serious problems:
> >
> >- Hard to solve the replay problem
> >- Insufficient data transfer rate and reliability because of necessary
> > time delays to enforce packet ordering to make reasonably sized
> > data transfers (asymmetric encryption is not even an option)
> >- Knock sequences look like port scans
>
> Tumbler is a Single Packet Authorization protocol. We offer 2 modes of
> operation: the traditional port knock sequence and the SPA way.
Right, I was treating the two modes separately (port knocking vs. SPA).
I'm trying to make the case that port knocking has enough problems to
motivate people to use an SPA solution instead.
»lists.netfilter.org/pipermail/ne···824.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to Daniel
Here is a long but interesting read on Port Knocking and SPA.
»web.mac.com/s.j/iWeb/Security/Po···6)_1.pdf
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to Name Game
said by Name Game :There is a far strech from theory to implemation much less actual use. I posted a link above for anyone who is serious about it..I will not go into details what others have tried in the real world.. it is priority info...but todate Portknocking is NOT real Security. Part of the problem is that it is up to the imagination what port knocking can be used to do. If it's simply for switching a daemon on or off I see no need for any type of futher authentication. The best that anyone can do is repeatedly switch a service off. If you're using port knocking for anything more complex as part of full-blown remote-control system, then I really don't see the benefits of this above a SSH tunnel, unless you really want to create a stealthy low-overhead limited command system. Single Packet Authorization seems to be a lot neater in that it solves timing issues. The replay problem is really not that difficult to solve, and that insufficient data transfer comment quoted is just nonsense as port knocking is not a SSH replacement. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to Daniel
Yes ..nice work in progress on both.. you might feel secure using what is actually now available..but that too is left up to the imagination..repeatability.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to Daniel
So how do you propose to allow only certain people to come to your gate (they still have to login), while presenting a completely firewalled appearance to the rest of the world? I think you have made the point very well. This is all about appearances, rather than about real security.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| said by nwrickert :So how do you propose to allow only certain people to come to your gate (they still have to login), while presenting a completely firewalled appearance to the rest of the world? I think you have made the point very well. This is all about appearances, rather than about real security. You misunderstand; I do think it offers real security.
--
dmiessler.com -- grep understanding knowledge |
|
