 DanielPremium,MVM
join:2000-06-26
San Francisco, CA
1 edit | reply to nwrickert
Re: Is Portknocking "Real" Security? said by nwrickert:1. How do you think this small group of guys in charge of doing the SSH scans (maybe one or two guys) are going to somehow magically procure the cryptographic knock sequence that's on the laptops of your engineers? They already have a copy of the SSH client that does this, because they have trojanized one or more of those laptops and installed a keylogger. I see, so any security layer that can be defeated by having full root access via trojaned system fails to be called a security layer? I think you may be out of your element, my friend. Layers aren't layers because they can't be defeated.
Your argument says that police shouldn't wear bullet proof vests because someone was rumored to have an anti-tank weapon in town. And of course, if someone were to shoot the officer wearing the vest with an anti-tank weapon...well what good would the vest do?
You're saying the same thing about the port-knocking layer. The fact that it can be defeated by full root control of the system means nothing. It can also be defeated if the engineer becomes insane and starts posting the username, password, and knocking sequence hundreds of hacker IRC channels. This doesn't make it any less effective as a layer.
Why? Because none of those things are, in the grand scheme of things, likely to happen. Remember, the machine wouldn't just have to be trojaned; it would have to be trojaned by THAT specific group -- of which there are thousands.
Get real, dude.
--
dmiessler.com -- grep understanding knowledge |
|
|
|
 nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7
 ·AT&T U-Verse
| I see, so any security layer that can be defeated by having full root access via trojaned system fails to be called a security layer? I never said nor implied that.
Your argument says that police shouldn't wear bullet proof vests because someone was rumored to have an anti-tank weapon in town. I never said nor implied that either.
It's a known fact police find these vests hot, sweaty and cumbersome. Some of them choose to go without. And that is closer to the problem I was raising. When you add a layer (whether security or obscurity), you have to consider the possibility that people will set up ways of bypassing it, with the result that your security might actually be worse.
It can also be defeated if the engineer becomes insane and starts posting the username, password, and knocking sequence hundreds of hacker IRC channels. The risk of that may well be greater than the risk of the zero-day exploit that so concerns you. The risk that one of your users will have is laptop trojanized should be of far greater concern.
You are adding complexity in order to prevent a very unlikely problem, while you disregard the far more likely problem that some of your users will have their machines trojanized.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA
1 edit | When you add a layer (whether security or obscurity), you have to consider the possibility that people will set up ways of bypassing it, with the result that your security might actually be worse. With all due respect, you're not grasping the basics here. What you just said illustrates that you don't understand what a "layer" actually is. If you have 5 layers of protection, and you add an additional layer on top of it, how many do you have?
Right, 6. So what happens if the 6th layer gets compromised? Do you now have 4? No. You still have 5. You see, we haven't lowered our security anywhere, we've only raised it. So in the HIGHLY unlikely event that this one additional barrier were to be breached, we would be back at the previous layer, i.e. SSH authentication.
Oh, by the way, that's the layer your at now.
--
dmiessler.com -- grep understanding knowledge |
|
nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7 Reviews:
·AT&T U-Verse
| If you have 5 layers of protection, and you add an additional layer on top of it, how many do you have? Well, okay. If you have to accuse those who disagree of being unable to count, then I'll take that as evidence that you don't have much in the way of good arguments.
The French added an extra layer of security, to ensure that they could not be invaded by Germany. That extra layer was known as the Maginot line. As history demonstrates, it isn't as simple as just counting layers.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA | said by nwrickert:If you have 5 layers of protection, and you add an additional layer on top of it, how many do you have? Well, okay. If you have to accuse those who disagree of being unable to count, then I'll take that as evidence that you don't have much in the way of good arguments. I wasn't implying that you didn't know 5 + 1 = 6. I was implying that you didn't realize that removing the 1 doesn't equal less than 5, which is precisely what you've been arguing all along.
--
dmiessler.com -- grep understanding knowledge |
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA
2 edits | reply to nwrickert
The French added an extra layer of security, to ensure that they could not be invaded by Germany. That extra layer was known as the Maginot line. As history demonstrates, it isn't as simple as just counting layers.
A LAYER means you have real, strong security sitting behind it (like SSH authentication, for example). Stupidity, on the other hand, is when you don't have any real security and you spend your time implementing something that won't work, and/or can be bypassed very easily. Let's review:
1. Portknocking works great and CAN be implemented easily -- even so that it stands up to observational attacks via cryptography.
2. Worst case scenario is that your SSH daemon remains as strong as it is today.
--
Do the right thing and admit you were mistaken on this one. Seriously.
--
dmiessler.com -- grep understanding knowledge |
|
nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7 Reviews:
·AT&T U-Verse
| The fact that you're comparing portknocking with a line of uni-directional, non-mobile gun turrets (while the enemy has airborne troops) is illustrative of the fact that I've been wasting my time. But just for the sake of argument I'll show you why that's a horrible analogy. But that's exactly what you are doing. You are aiming your "guns" at direct attacks from the network, when the major risk is from clever use of social engineering techniques.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA | said by nwrickert:You are aiming your "guns" at direct attacks from the network, when the major risk is from clever use of social engineering techniques. If we're trying to address the problem of millions of people having access to your SSH daemon, the way to counter that is with a network-based control. And that's what we're discussing here -- the effectiveness of one such control.
To say that we shouldn't be trying to protect ourselves from threat A just because threat B also exists is utterly insane. The bottom line is that this technique significantly lowers overall risk to a company that requires their SSH daemon be available to employees regardless of source network.
If you don't see that by this point then I guess there's little more for me to say.
--
dmiessler.com -- grep understanding knowledge |
|
 EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7
 ·Callcentric
| Based on what I've read here, it appears that portknocking can be a useful part of an SSH implementation. While there were several general non-technical analogies presented, none seemed to address the methods a hacker might use to discover and obtain the port knocking sequence in a public network.
I was hoping to see an answer to the scenario I referenced in my earlier post, but that appears not to be forthcoming. Perhaps there is no practical way.
One question, though - how would one build an IP table for the IP authorization if the clients are road warriors using DHCP? Seems that option would not be useful in that case.
--
03:14:07 UTC Tuesday, Jan. 19, 2038 - a date that will live in infamy... |
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA | said by EGeezer:Based on what I've read here, it appears that portknocking can be a useful part of an SSH implementation. While there were several general non-technical analogies presented, none seemed to address the methods a hacker might use to discover and obtain the port knocking sequence in a public network. I was hoping to see an answer to the scenario I referenced in my earlier post, but that appears not to be forthcoming. Perhaps there is no practical way. One question, though - how would one build an IP table for the IP authorization if the clients are road warriors using DHCP? Seems that option would not be useful in that case. Actually it does work for that. That's the whole point of the project -- to have it work for roaming, dynamic-source clients.
--
dmiessler.com -- grep understanding knowledge |
|
EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7 Reviews:
·Callcentric
| Re: IP access rules and DHCP clients I'm sure I'm missing something - If the road warrior has a dynamically assigned IP, how would I build an access rule based on the client's IP? It could be anything depending on where and when the user connects.
--
03:14:07 UTC Tuesday, Jan. 19, 2038 - a date that will live in infamy... |
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA | That's the point of it: the user sends a cryptographic "knock" to the firewall that only it could have sent, at which point the firewall opens just the SSH port for just that one client (and just for a moment).
--
dmiessler.com -- grep understanding knowledge |
|
EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7 Reviews:
·Callcentric
| I was trying to figure out Ghost's reply(»Re: Is Portknocking "Real" Security?)
... I was thinking more along the lines of a port being accessible by everyone whenever a single user entered the correct port sequence for access. Obviously I forgot that iptables can allow access to ports on a per IP address after a port knocking sequence. Hence, my previous questions do not apply. So it's possible to have thousands of users access a service remotely, but no indication to others that a remote service is listening on a certain port.
Based on that, I'm thinking that one would need a fixed client IP address to implement IP based rules. If the client is DHCP assigned, this IP rules layer wouldn't be in the picture. Hope that clarifies my curiosity.
--
03:14:07 UTC Tuesday, Jan. 19, 2038 - a date that will live in infamy... |
|
nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7 Reviews:
·AT&T U-Verse
| reply to Daniel
Re: Is Portknocking "Real" Security? If we're trying to address the problem of millions of people having access to your SSH daemon, the way to counter that is with a network-based control. Millions of people do have access to my SSH daemon. So far that hasn't been a problem.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA
3 edits | Millions of people do have access to my SSH daemon. So far that hasn't been a problem.
Indeed. My mistake.
--
dmiessler.com -- grep understanding knowledge |
|
nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7 Reviews:
·AT&T U-Verse
| reply to EGeezer
Based on what I've read here, it appears that portknocking can be a useful part of an SSH implementation. But why port knocking?
Couldn't you achieve the same thing with a udp listener that can open the firewall for a particular connection in response to an encrypted and digitally signed udp packet? It seems to me that this would be more effective and simpler to implement. Moreover, it would work behind a NAT router, where I would only have to forward that one udp port instead of all of the ports that would be needed for port knocking.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7 Reviews:
·Callcentric
| I'm not disputing that there are other ways to provide security. I'm just observing that knocking appears to provide a layer of security that would provide some protection. That's what I got from reading Daniel's article. I still don't see how the hacker in the scenario would proceed.
--
The society which scorns excellence in plumbing as a humble activity and tolerates shoddiness in philosophy because it is an exalted activity will have neither good plumbing nor good philosophy: neither its pipes or its theories will hold water.
|
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA
2 edits | reply to nwrickert
Moreover, it would work behind a NAT router, where I would only have to forward that one udp port instead of all of the ports that would be needed for port knocking.
Holy God. You mean you've been arguing all this time against it and you don't even know how it works?
Portknocking only opens ONE (1) port, e.g. 22 for SSH.
»www.portknocking.org/
One source address, one port, for a short amount of time. And what you're talking about is called SPA, and it was mentioned earlier in the thread. I agree that it's an interesting alternative to the portknocking implementation, but ultimately it's pretty much the same.
The firewall is closed, but when the trusted client sends a secret stimuli the firewall opens up JUST FOR THEM -- keeping the rest of the world locked out. This is the same for both portknocking and SPA.
But dude...do you see now?
--
dmiessler.com -- grep understanding knowledge |
|
nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7 Reviews:
·AT&T U-Verse
| said by Daniel:Holy God. You mean you've been arguing all this time against it and you don't even know how it works? Portknocking only opens ONE (1) port, e.g. 22 for SSH. If you could avoid these unwarranted insults, perhaps intelligent discussion might break out.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA | Fair enough, my bad. I got a bit rowdy.
So, yeah...it's just one port, man. Does this change anything for you?
--
dmiessler.com -- grep understanding knowledge |
|
