Blessed are the Geeks, for they shall internet the earth

Port Knocking
Joseph Ritchey

Back in the 20's there were Speak Easy's setup all over the US. People would go their to drink and dance, but mostly drink (due to prohibition). Lots of these clubs would have a large burly looking guy guard the door. To get into the speak easy you have to know the password or a secret knock (like: knock, ..., knock, knock, ..., knock kind of thing). If you got the secret knock wrong large guy at the door would bounce your head off a brick wall hence the term bouncer. Well this is a lot like port knocking except the club full of loud music, hot women and bath tub gin, is your server and the large guy at the door is your firewall, and the knock is a series of packets.

Essentially port knocking is where information arrives as connection attempts on closed port and the sequence of the attempts acts as the encoding and triggers an event on the receiving end. Example: your firewall has a closed port (let say 3389, RDP for those of you that don't have port tables memorized). But by sending a the proper series of packets (or secret knock) the firewall knows to open port 3389 to you and then allow you to communicate with your server. So a typical port scan from the Internet would reveal nothing about your system. By the way the packets from your secret knock are dropped like every other packet to these closed port. An attacker would have to know the proper sequence to gain access to your. Plus your protected service on your server does not have to be modified.

Keep in mind Newton's Third Law of security: For every security system/protocol their is an equal yet opposite hack. The downside, your secret knock can be picked up by an monkey-in-the-middle attack. Security by obscurity alone is bad. Bad net admin. Obscurity alone just means your not the low hanging fruit and can make you even more interesting to an attacker. Also there is over head because you will need a program on your client to perform the knocks. Your client will have to be able to secure your secret knock. You can and should use port knocking in conjunction with encryption. Remember that any system that manipulates firewall rules automatically needs to be implement very carefully. Everything program has bugs, except maybe calculator. I don't think I've seen any hacks or overflows for calc lately.


For more on Knocking check out:
http://www.portknocking.org/

http://www.linuxjournal.com/article/6811

Visit Joe's blog at www.JosephRitchey.com


 

Hacking The IT Cube: The Information Technology Survival Guide -- Douglas Chick



E-mail your comments to dougchick@thenetworkadministrator.com
             All rights reserved  TheNetworkAdministrator.com

Disclaimer: The Opinions shared on TheNetworkAdministrator.com are contributed by its readers and does not necessarily express the opinion of the creators of this publication.