how-to block ads
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| Re: Is Portknocking "Real" Security? said by Name Game  :You did not add a security layer..you just look for one to protect a port I keep closed. I think you missed the point; we're talking about people who 1) have a need to run the daemon, and 2) require connections from a dynamic range of source addresses.
So how do you propose to allow only certain people to come to your gate (they still have to login), while presenting a completely firewalled appearance to the rest of the world?
If this isn't "real" security, what do you propose as an alternative? And don't mention anything involving SSH itself, because that's already being done. BEYOND SSH itself.
--
dmiessler.com -- grep understanding knowledge | |
|  
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Re: Is Portknocking "Real" Security? said by Daniel :said by Name Game :You did not add a security layer..you just look for one to protect a port I keep closed. I think you missed the point; we're talking about people who 1) have a need to run the daemon, and 2) require connections from a dynamic range of source addresses. So how do you propose to allow only certain people to come to your gate (they still have to login), while presenting a completely firewalled appearance to the rest of the world? If this isn't "real" security, what do you propose as an alternative? And don't mention anything involving SSH itself, because that's already being done. BEYOND SSH itself. The alternatives are not available for discussion in this forum.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
| |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | Re: Is Portknocking "Real" Security? said by Name Game :said by Daniel :said by Name Game :You did not add a security layer..you just look for one to protect a port I keep closed. If this isn't "real" security, what do you propose as an alternative? And don't mention anything involving SSH itself, because that's already being done. BEYOND SSH itself. The alternatives are not available for discussion in this forum. Why? Are they too 133t?
--
dmiessler.com -- grep understanding knowledge | |
| | | 
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| So how do you propose to allow only certain people to come to your gate (they still have to login), while presenting a completely firewalled appearance to the rest of the world? I think you have made the point very well. This is all about appearances, rather than about real security.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| Re: Is Portknocking "Real" Security? said by nwrickert :So how do you propose to allow only certain people to come to your gate (they still have to login), while presenting a completely firewalled appearance to the rest of the world? I think you have made the point very well. This is all about appearances, rather than about real security. You misunderstand; I do think it offers real security.
--
dmiessler.com -- grep understanding knowledge | |
| | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: Is Portknocking "Real" Security? You misunderstand; I do think it offers real security. I do understand that you think it provides real security.
I am thinking about this in terms of the servers I manage. Suppose I set up portknocking for SSH.
Option 1: I publish the sequence of magic port knocks. There goes any added security down the drain.
Option 2: I build a client that knows the sequence of magic port knocks. That's tantamount to publishing, so see option 1.
Option 3: I have to manually weave my way through this maze every time I need to use SSH. There goes my security. I have made it too inconvenient to push security updates to each of the servers. So I don't update them. The security risk of this is greater than the imagined risk of a possible zero-day ssh exploit showing up. Also, I probably stop monitoring my servers from home, because I have made it too inconvenient to login to them. The loss of monitoring is another increased security risk.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| | | |
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| Re: Is Portknocking "Real" Security? said by nwrickert :You misunderstand; I do think it offers real security. I do understand that you think it provides real security. I am thinking about this in terms of the servers I manage. Suppose I set up portknocking for SSH. Option 1: I publish the sequence of magic port knocks. There goes any added security down the drain. Option 2: I build a client that knows the sequence of magic port knocks. That's tantamount to publishing, so see option 1. Option 3: I have to manually weave my way through this maze every time I need to use SSH. There goes my security. I have made it too inconvenient to push security updates to each of the servers. So I don't update them. The security risk of this is greater than the imagined risk of a possible zero-day ssh exploit showing up. Also, I probably stop monitoring my servers from home, because I have made it too inconvenient to login to them. The loss of monitoring is another increased security risk. And that of course is part of the "KEY" Daniel can not understand..unattended access..additional third party apps installed insdie to make it all happen..and you trust the code to work as advertised...Then you force the rest of your security to allow it to happen.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ | |
| | | | 
captain_clue_bit
@foebud.org
 from:
Daniel
| WOW, you guys have the craziest views of reality.
said by nwrickert :Option 1: I publish the sequence of magic port knocks. There goes any added security down the drain. Right, because service scanners always read published info about a target. It's the nmap option of --check-for-published-portknocker-data
said by nwrickert :Option 2: I build a client that knows the sequence of magic port knocks. That's tantamount to publishing, so see option 1. Absolutely, because most scanners download specific client software for every host they scan. It's the --download-special-ssh-client-and-extract-portknocking-sequence flag to nmap.
said by nwrickert :Option 3: I have to manually weave my way through this maze every time I need to use SSH. There goes my security. I have made it too inconvenient to push security updates to each of the servers. So I don't update them. The security risk of this is greater than the imagined risk of a possible zero-day ssh exploit showing up. Also, I probably stop monitoring my servers from home, because I have made it too inconvenient to login to them. The loss of monitoring is another increased security risk. You think that's bad, have you seen the whole PKI authentication model?? They actually expect you to always have a file present on a system in order to log into others. Man, what a hassle. Those systems must not've been patched in years.
said by nwrickert :And that of course is part of the "KEY" Daniel can not understand..unattended access..additional third party apps installed insdie to make it all happen..and you trust the code to work as advertised...Then you force the rest of your security to allow it to happen. SSH on *any* system is third party. Since you haven't audited or written your operating system, you trust that *all* of your software works as advertised.
Face it gents, it's a real security layer. Every security layer can be defeated, it's just a matter of how hard it is or how long it takes. | |
| | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
4 edits | said by nwrickert :You misunderstand; I do think it offers real security. Option 1: I publish the sequence of magic port knocks. There goes any added security down the drain. Option 2: I build a client that knows the sequence of magic port knocks. That's tantamount to publishing, so see option 1. You keep using this word "publish". I don't think it means what you think it means. Let's try a real-world attack scenario:
Case:
You have deployed a port-knocking technology so that your firewall is opened just for SSH (which users still have to authenticate to using keys or passwords) once they authenticate via port-knocking sequence. The software was installed by your IT team on the laptops of your engineers in the field (we'll say you have 100 such engineers/laptops. And your employees know, of course, that if their laptop were to be stolen, they would need to report it. The way they use the software is by simply invoking the SSH client, which is configured to knock before attempting, which yields you your login prompt as normal.
Now, somewhere in the Ukraine, an organized crime syndicate has procured, through their extensive network of young crackers, a brand-new OpenSSH exploit that yields a root shell to the attacker. It's time now to begin using the exploit. The first thing these people need is a set of targets. They may already have a few high-profile targets in mind, but the way they'll build a victim list is by scanning for SSH. My questions to you (nwcricket and Name Game) are these:
Questions
1. How do you think this small group of guys in charge of doing the SSH scans (maybe one or two guys) are going to somehow magically procure the cryptographic knock sequence that's on the laptops of your engineers?
2. Ok, now that you realize that it's virtually impossible for that to happen, realize that the attackers, when they scanned your company's network range, DIDN'T SEE YOUR SSH SERVER. There are only two lists that result from these scans: the first is people that ARE running SSH exposed on the Internet, and the second are the people NOT running SSH exposed on the Internet. Most of those people are not running it at all, but some are running it with tight ACLs, some are running it internally with no firewall rules passing into it, etc. Either way, ALL THOSE PEOPLE go on the list of those NOT running SSH. To an attacker, they're all the same because they can't be attacked.
3. Now, after all that...realize that even if the ultimate, highly unlikely scenario were to take place, i.e. a super-elite Ukranian female hottie spy were to have infiltrated your organization and seduced one of your engineers. She now has your portknocking software!
Oh no! Game over, right?
No. No game over. All they've done is make YOUR SSH daemon the same as everyone else's, i.e. they either still have to login (they don't have the password still), or use an exploit. Meanwhile, for all the other THOUSANDS of attackers scanning your systems on a constant basis, are simply out of luck. They have essentially 0% chance of every compromising your SSH server because to them it ISN'T THERE.
--
So I ask you, gentlemen, please explain to me how this isn't a security layer.
--
dmiessler.com -- grep understanding knowledge | |
| | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: Is Portknocking "Real" Security? 1. How do you think this small group of guys in charge of doing the SSH scans (maybe one or two guys) are going to somehow magically procure the cryptographic knock sequence that's on the laptops of your engineers? They already have a copy of the SSH client that does this, because they have trojanized one or more of those laptops and installed a keylogger.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | Re: Is Portknocking "Real" Security? said by nwrickert :1. How do you think this small group of guys in charge of doing the SSH scans (maybe one or two guys) are going to somehow magically procure the cryptographic knock sequence that's on the laptops of your engineers? They already have a copy of the SSH client that does this, because they have trojanized one or more of those laptops and installed a keylogger. I see, so any security layer that can be defeated by having full root access via trojaned system fails to be called a security layer? I think you may be out of your element, my friend. Layers aren't layers because they can't be defeated.
Your argument says that police shouldn't wear bullet proof vests because someone was rumored to have an anti-tank weapon in town. And of course, if someone were to shoot the officer wearing the vest with an anti-tank weapon...well what good would the vest do?
You're saying the same thing about the port-knocking layer. The fact that it can be defeated by full root control of the system means nothing. It can also be defeated if the engineer becomes insane and starts posting the username, password, and knocking sequence hundreds of hacker IRC channels. This doesn't make it any less effective as a layer.
Why? Because none of those things are, in the grand scheme of things, likely to happen. Remember, the machine wouldn't just have to be trojaned; it would have to be trojaned by THAT specific group -- of which there are thousands.
Get real, dude.
--
dmiessler.com -- grep understanding knowledge | |
| | | | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: Is Portknocking "Real" Security? I see, so any security layer that can be defeated by having full root access via trojaned system fails to be called a security layer? I never said nor implied that.
Your argument says that police shouldn't wear bullet proof vests because someone was rumored to have an anti-tank weapon in town. I never said nor implied that either.
It's a known fact police find these vests hot, sweaty and cumbersome. Some of them choose to go without. And that is closer to the problem I was raising. When you add a layer (whether security or obscurity), you have to consider the possibility that people will set up ways of bypassing it, with the result that your security might actually be worse.
It can also be defeated if the engineer becomes insane and starts posting the username, password, and knocking sequence hundreds of hacker IRC channels. The risk of that may well be greater than the risk of the zero-day exploit that so concerns you. The risk that one of your users will have is laptop trojanized should be of far greater concern.
You are adding complexity in order to prevent a very unlikely problem, while you disregard the far more likely problem that some of your users will have their machines trojanized.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| | | | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | Re: Is Portknocking "Real" Security? When you add a layer (whether security or obscurity), you have to consider the possibility that people will set up ways of bypassing it, with the result that your security might actually be worse. With all due respect, you're not grasping the basics here. What you just said illustrates that you don't understand what a "layer" actually is. If you have 5 layers of protection, and you add an additional layer on top of it, how many do you have?
Right, 6. So what happens if the 6th layer gets compromised? Do you now have 4? No. You still have 5. You see, we haven't lowered our security anywhere, we've only raised it. So in the HIGHLY unlikely event that this one additional barrier were to be breached, we would be back at the previous layer, i.e. SSH authentication.
Oh, by the way, that's the layer your at now.
--
dmiessler.com -- grep understanding knowledge | |
| | | | | | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: Is Portknocking "Real" Security? If you have 5 layers of protection, and you add an additional layer on top of it, how many do you have? Well, okay. If you have to accuse those who disagree of being unable to count, then I'll take that as evidence that you don't have much in the way of good arguments.
The French added an extra layer of security, to ensure that they could not be invaded by Germany. That extra layer was known as the Maginot line. As history demonstrates, it isn't as simple as just counting layers.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| | | | | | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| Re: Is Portknocking "Real" Security? said by nwrickert :If you have 5 layers of protection, and you add an additional layer on top of it, how many do you have? Well, okay. If you have to accuse those who disagree of being unable to count, then I'll take that as evidence that you don't have much in the way of good arguments. I wasn't implying that you didn't know 5 + 1 = 6. I was implying that you didn't realize that removing the 1 doesn't equal less than 5, which is precisely what you've been arguing all along.
--
dmiessler.com -- grep understanding knowledge | |
| | | | | | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
2 edits | The French added an extra layer of security, to ensure that they could not be invaded by Germany. That extra layer was known as the Maginot line. As history demonstrates, it isn't as simple as just counting layers.
A LAYER means you have real, strong security sitting behind it (like SSH authentication, for example). Stupidity, on the other hand, is when you don't have any real security and you spend your time implementing something that won't work, and/or can be bypassed very easily. Let's review:
1. Portknocking works great and CAN be implemented easily -- even so that it stands up to observational attacks via cryptography.
2. Worst case scenario is that your SSH daemon remains as strong as it is today.
--
Do the right thing and admit you were mistaken on this one. Seriously.
--
dmiessler.com -- grep understanding knowledge | |
| | | | | | | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: Is Portknocking "Real" Security? The fact that you're comparing portknocking with a line of uni-directional, non-mobile gun turrets (while the enemy has airborne troops) is illustrative of the fact that I've been wasting my time. But just for the sake of argument I'll show you why that's a horrible analogy. But that's exactly what you are doing. You are aiming your "guns" at direct attacks from the network, when the major risk is from clever use of social engineering techniques.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| | | | | | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| Re: Is Portknocking "Real" Security? said by nwrickert :You are aiming your "guns" at direct attacks from the network, when the major risk is from clever use of social engineering techniques. If we're trying to address the problem of millions of people having access to your SSH daemon, the way to counter that is with a network-based control. And that's what we're discussing here -- the effectiveness of one such control.
To say that we shouldn't be trying to protect ourselves from threat A just because threat B also exists is utterly insane. The bottom line is that this technique significantly lowers overall risk to a company that requires their SSH daemon be available to employees regardless of source network.
If you don't see that by this point then I guess there's little more for me to say.
--
dmiessler.com -- grep understanding knowledge | |
| | | | | | | | | | | | | | | | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| Re: Is Portknocking "Real" Security? said by EGeezer :Based on what I've read here, it appears that portknocking can be a useful part of an SSH implementation. While there were several general non-technical analogies presented, none seemed to address the methods a hacker might use to discover and obtain the port knocking sequence in a public network. I was hoping to see an answer to the scenario I referenced in my earlier post, but that appears not to be forthcoming. Perhaps there is no practical way. One question, though - how would one build an IP table for the IP authorization if the clients are road warriors using DHCP? Seems that option would not be useful in that case. Actually it does work for that. That's the whole point of the project -- to have it work for roaming, dynamic-source clients.
--
dmiessler.com -- grep understanding knowledge | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
| Re: IP access rules and DHCP clients I was trying to figure out Ghost's reply(»Re: Is Portknocking "Real" Security?)
... I was thinking more along the lines of a port being accessible by everyone whenever a single user entered the correct port sequence for access. Obviously I forgot that iptables can allow access to ports on a per IP address after a port knocking sequence. Hence, my previous questions do not apply. So it's possible to have thousands of users access a service remotely, but no indication to others that a remote service is listening on a certain port.
Based on that, I'm thinking that one would need a fixed client IP address to implement IP based rules. If the client is DHCP assigned, this IP rules layer wouldn't be in the picture. Hope that clarifies my curiosity.
--
03:14:07 UTC Tuesday, Jan. 19, 2038 - a date that will live in infamy... | |
| | | | | | | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Based on what I've read here, it appears that portknocking can be a useful part of an SSH implementation. But why port knocking?
Couldn't you achieve the same thing with a udp listener that can open the firewall for a particular connection in response to an encrypted and digitally signed udp packet? It seems to me that this would be more effective and simpler to implement. Moreover, it would work behind a NAT router, where I would only have to forward that one udp port instead of all of the ports that would be needed for port knocking.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| | | | | | | | | | | | | | | | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
2 edits | Moreover, it would work behind a NAT router, where I would only have to forward that one udp port instead of all of the ports that would be needed for port knocking.
Holy God. You mean you've been arguing all this time against it and you don't even know how it works?
Portknocking only opens ONE (1) port, e.g. 22 for SSH.
»www.portknocking.org/
One source address, one port, for a short amount of time. And what you're talking about is called SPA, and it was mentioned earlier in the thread. I agree that it's an interesting alternative to the portknocking implementation, but ultimately it's pretty much the same.
The firewall is closed, but when the trusted client sends a secret stimuli the firewall opens up JUST FOR THEM -- keeping the rest of the world locked out. This is the same for both portknocking and SPA.
But dude...do you see now?
--
dmiessler.com -- grep understanding knowledge | |
| | | | | | | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: Is Portknocking "Real" Security? said by Daniel :Holy God. You mean you've been arguing all this time against it and you don't even know how it works? Portknocking only opens ONE (1) port, e.g. 22 for SSH. If you could avoid these unwarranted insults, perhaps intelligent discussion might break out.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| | | | | | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: | Re: Is Portknocking "Real" Security? Fair enough, my bad. I got a bit rowdy.
So, yeah...it's just one port, man. Does this change anything for you?
--
dmiessler.com -- grep understanding knowledge | |
| | | | | | | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
1 edit | Re: Is Portknocking "Real" Security? So, yeah...it's just one port, man. Does this change anything for you? According to the doc "encoded in the form of connection attempts to closed ports, in which the port sequence forms the encoding,". You can't have much of a port sequence with only one port. In other words, it isn't going to work too well when you are behind an external firewall/router.
So sure, you add a security layer of some sort. But I have to remove an existing security layer (the external firewall), to be able to use it. In that case, when you are behind a typical NAT box, it may be a net loss in security.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| | | | | | | | | | TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
1 edit | Re: Is Portknocking "Real" Security? Does this help?
»www.portknocking.org/view/about/requirements
Edit:
Assuming you want to run the server on a specific IP and do not need to dynamically select the IP, you should be able to forward the port (you would need to anyway) to the firewalled server and then read the logs as they come into that server. So I assume
whose rules can be dynamically modified.
is not absolutely needed for the router. I believe it needs to be able to log via syslog. | |
| | | | | | | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: Is Portknocking "Real" Security? Does this help? From the linked reference, "Any *NIX host running IPCHAINS/IPTABLES is suitable."
However, most inexpensive broadband routers are not suitable. So this is mostly a geek technique, particularly for those enthralled by the gee-whiz nature of the methodology.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| | | | | | | | | | TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| Re: Is Portknocking "Real" Security? Not really, again if the router can log packets via syslog to the server machine, all you need to do is forward the Port to the firewalled server. The server then opens or closes its own port.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. | |
| | | | | | | | | | | | | | | | | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | Re: Is Portknocking "Real" Security? So if a security layer doesn't work on "inexpensive broadband routers" then it's essentially a toy technology? I never said that.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| | | | | | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| Re: Is Portknocking "Real" Security? said by nwrickert :However, most inexpensive broadband routers are not suitable. So this is mostly a geek technique, particularly for those enthralled by the gee-whiz nature of the methodology.
--
dmiessler.com -- grep understanding knowledge | |
| | | | | | | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: Is Portknocking "Real" Security? Industrial CISCO routers are not using IP tables either. And if the firewall were running on CISCO equipment at our work, there is no way our servers would be given access to the firewall logs on those routers.
I provided an example with the broadband routers. I didn't say that's the only example.
I used broadband routers as my example, because I had already commented on them earlier in an earlier post. What you wrote in response to that earlier post was wrong and insulting.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| | | | | | | | | | TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| said by nwrickert :But why port knocking? Couldn't you achieve the same thing with a udp listener that can open the firewall for a particular connection in response to an encrypted and digitally signed udp packet? It seems to me that this would be more effective and simpler to implement. Moreover, it would work behind a NAT router, where I would only have to forward that one udp port instead of all of the ports that would be needed for port knocking. That would be SPA or Single Packet Authorization.
(See the link I posted earlier)
Technically I would consider both a form of Port Knocking, since I believe the definition of port knocking used in the paper is valid and I expect there will be newer forms of Port Knocking that will add strength to port knocking as a security layer.
said by Sebastien Jeanquier :
"In broad terms, port knocking is a method for transmitting information across closed ports, with the aim of authenticating users before allowing them, and only them, to access a protected service.." Both SPA and the "Port Knocking Perl Prototype" seem to have strengths and weaknesses.
As examples
If you run SPA it can be attacked off line via a dictionary or Brute force attack.
With either method if you run a "listener" of some sort to check if the authorization should be granted you run the risk of the "listener" having a vulnerability. While the writer of the paper indicates that
said by Sebastien Jeanquier :
The knock daemon has the ability to read knocks out of the firewall log, or directly off of the wire using libpcap. Due to the way that this implementation deals directly with the bit-representation of the knocked ports, it would be quite difficult to compromise the daemon itself with maliciously crafted packets. See page 32 for his full discussion which is interesting.
IMO if you run the "Port Knocking Perl Prototype" you can in theory simply check the logs of the firewall and remove almost all of this risk.
I liked qrkx 's summary earlier, and agree with Daniel Port Knocking (including SPA) does add a layer of security, it is not the foolproof but no layer is foolproof. I also agree with you that "social engineering techniques" are the primary risk against a secured system/server but that does not make Port Knocking any less of a layer.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. | |
| | | | | | | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| If we're trying to address the problem of millions of people having access to your SSH daemon, the way to counter that is with a network-based control. Millions of people do have access to my SSH daemon. So far that hasn't been a problem.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| | | | | | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
3 edits | Re: Is Portknocking "Real" Security? Millions of people do have access to my SSH daemon. So far that hasn't been a problem.
Indeed. My mistake.
--
dmiessler.com -- grep understanding knowledge | |
| | | |
|
