Broadband Tech > Security > Security > Is Portknocking "Real" Security?

Is Portknocking "Real" Security?

The concept of portknocking from the day's it was proposed using firewall logs changed into a "secret knock" thingie is like giving your neighbor a key to you cottage and trust him to protect it. Not only protect the "key"..but also your place. You do not know where he will store the key muchless when "he" enters your cottage if it was really his muddy feet in the buffer overflow.

If you are looking for peace of mind Security..the weighted scale is against portknocking..but if you are just after a new whistle and bell "feature" then go for it..it does not ADD anything to real security..it just throw another problem into the equation...no matter how secure you think you are doing it.

I will be standing in the hallway
»www.songlyrics.com/song-lyrics/O···534.html

"Knock three times
On the ceiling if you want me.
Mmm-hmm, twice on the pipe
If the answer is no."
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/

Your analogy is horribly flawed, Name Game. Nobody gets a "key" to the cottage. A "key" implies that a successful portknock yields a shell via SSH. It doesn't. All a successful portknock gives you is the ability to try one's hand against standard SSH security. No security layers are removed from the equation; one is just added.

Do you still think this is a problem?
--
dmiessler.com -- grep understanding knowledge

reply to Daniel
It's more like a prohibition-era speakeasy with a secret knock. Bang on the door like a policeman, and no one ever opens the little sliding window and asks for the password.

At the very worst, it's like having one extra password to enter. What could be so bad about that, aside from the annoyance factor?

Of course, physical analogies are somewhat flawed anyway. A door can be knocked down. A closed port (usually) can't be.
--
Think outside the fox...Seamonkey

reply to Daniel
I sure do..the ports are closed for a reason..having someone playing around with the pin tumblers is not an option. Security is best served out in the open if any transactions are going to be done..and YOU control the transaction.. not by obscurity. You did not add a security layer..you just look for one to protect a port I keep closed.

Stealth is silly also..the word is closed.

$$^D
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/

reply to sivran

said by sivran:

It's more like a prohibition-era speakeasy with a secret knock. Bang on the door like a policeman, and no one ever opens the little sliding window and asks for the password.

At the very worst, it's like having one extra password to enter. What could be so bad about that, aside from the annoyance factor?

Of course, physical analogies are somewhat flawed anyway. A door can be knocked down. A closed port (usually) can't be.

reply to Daniel

reply to Name Game
..

reply to Daniel
I think it makes perfect sense to have as many obstacles in the way to prevent intrusions, why would anyone object to that !

Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks
/SpannerITWks

reply to Daniel
I think portknocking is a neat idea for certain cases of always-on daemons like SSH. The key point to note is that the server should not send any response to the portknock.

It should be noted that the only real benefit of port knocking is in turning remotely accessible daemons on or off remotely, and in so doing so portknocking can completely remove large elements of risk involved in having daemons remotely accessible for extended periods of time.

Turning the remote daemon on only when it is needed means that any exploitable vulnerabilities in the daemon itself can only be exploited whilst the daemon is running. If the time spent utilizing this daemon is relatively short, then this decreases the risk of this daemon being exploited by some arbitrary amount.

The key questions are:
For what amount of time is it necessary to utilize this remotely accessible daemon (annually)?
According to your pattern of behaviour or your risk ?profile?, by how much will decreasing the amount of time a remotely accessible daemon is available decrease the risk of exploitation of a vulnerability, if one is present in that daemon?

(You'll notice I haven't mentioned anything about sniffing the portknocking sequence. Things like S/KEY could be used, but it seems like a waste of effort considering all a potential hacker has gained is the ability to turn a remote accessible daemon on or off.)

reply to Daniel
There is a far strech from theory to implemation much less actual use. I posted a link above for anyone who is serious about it..I will not go into details what others have tried in the real world.. it is priority info...but todate Portknocking is NOT real Security.

For any interest you can start at the link below..
***************************

> >First, port knocking as opposed to single packet strategies have some
> >serious problems:
> >
> >- Hard to solve the replay problem
> >- Insufficient data transfer rate and reliability because of necessary
> > time delays to enforce packet ordering to make reasonably sized
> > data transfers (asymmetric encryption is not even an option)
> >- Knock sequences look like port scans
>
> Tumbler is a Single Packet Authorization protocol. We offer 2 modes of
> operation: the traditional port knock sequence and the SPA way.

Right, I was treating the two modes separately (port knocking vs. SPA).
I'm trying to make the case that port knocking has enough problems to
motivate people to use an SPA solution instead.

»lists.netfilter.org/pipermail/ne···824.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/

reply to Daniel
Here is a long but interesting read on Port Knocking and SPA.

»web.mac.com/s.j/iWeb/Security/Po···6)_1.pdf
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.

reply to Name Game

reply to Daniel
Yes ..nice work in progress on both.. you might feel secure using what is actually now available..but that too is left up to the imagination..repeatability.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/

reply to Daniel