Results 1 to 5 of 5

Thread: New idea - Port Knocking

  1. #1
    HEXUS webmaster Steve's Avatar
    Join Date
    Nov 2003
    Posts
    14,283
    Thanks
    293
    Thanked
    841 times in 476 posts

    Lightbulb New idea - Port Knocking

    Over at /. I found this:

    http://slashdot.org/articles/04/02/0...id=126&tid=172

    Some of the slashdotters haven't quite grasped the concept of it being the first defence rather than the only defence, but I like the idea.

    I intend to read the article and try it out this weekend.
    PHP Code:
    $s = new signature();
    $s->sarcasm()->intellect()->font('Courier New')->display(); 

  2. #2
    Goat Boy
    Join Date
    Jul 2003
    Location
    Alexandra Park, London
    Posts
    2,428
    Thanks
    0
    Thanked
    0 times in 0 posts
    Yeah I liked this. Some of the /. arguments were really poor though. It's simply another level on top of whatever security you currently have, and I dont see anything wrong with that...
    "All our beliefs are being challenged now, and rightfully so, they're stupid." - Bill Hicks

  3. #3
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    Interesting, but it kind of falls into a middle ground between "good" and "very good" security IMO.

    The issue with the packets arriving out of sequence I think would not be fixed with TCP sequencing as the first packet would be a straightforward SYN, so there is no sequence established at that point, plus it would be silly to build a system using a 2-way protocol and deliberately break the protocol standards by not issuing (or expecting) a response.
    Packets would have to be UDP methinks.

    I say it falls into the middle ground security-wise, as anyone who is serious about security to that kind of degree would use token or biometric authentication if they really needed roaming users, or for SSH they could use PKI and rely on the user having a certificate which the admins issued, requiring a passphrase to authenticate.

    Ultimately the "password" sequence would have to be coded into an application or client somewhere, and be static, thus it could be picked up by a trojan.
    The alternative is to use a rolling sequence but then you'd have to have the users authenticating somehow to be able to get the authentication data... back to square 1.


    The bit which did sound interesting, though, was the potential for different "knock" sequences to temporarily map a public port to an internal service for that source IP alone - that would be a very neat way of being able to dynamically NAT a whole bunch of machines on a LAN to the outside world, for virtually any service you wanted.
    Though in reality this could be achieved by a single encoded packet one a user has authenticated to the firewall, rather than sending UDP packets to a sequence of ports.

    Nice concept, and an interesting thread, thanks
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  4. #4
    Gordy Gordy's Avatar
    Join Date
    Jul 2003
    Location
    Bristol
    Posts
    3,805
    Thanks
    63
    Thanked
    72 times in 50 posts
    I saw this and thought it was quite a clever idea , I dont know how practical it would be but Im sure some boffin can find a way

  5. #5
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like ::1 (IPv6 version)
    Posts
    10,665
    Thanks
    53
    Thanked
    384 times in 313 posts
    in an ideal ( but evil) world , we'd use secureID one only passwords for everything , though could this proove a reasonable cost effective alternative ?
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. ADSL Modem Router 4 port with wireless access point
    By jcoquillon in forum Retail Therapy and Bargains
    Replies: 21
    Last Post: 15-05-2004, 11:45 PM
  2. VNC - Good idea or bad idea?
    By joshwa in forum Networking and Broadband
    Replies: 11
    Last Post: 10-09-2003, 07:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •