Re: [SLUG] Doorman - opening firewall ports

From: Ian C. Blenke (icblenke@nks.net)
Date: Fri Dec 30 2005 - 18:07:38 EST

Next message: Chuck Hast: "Re: [SLUG] NOW: SuSE Gateway WAS: mysql setup"
Previous message: Mario Lombardo: "Re: [SLUG] Migrating from Microsoft to Linux"
In reply to: Ken Elliott: "[SLUG] Doorman - opening firewall ports"
Next in thread: Ken Elliott: "RE: [SLUG] Doorman - opening firewall ports"
Reply: Ken Elliott: "RE: [SLUG] Doorman - opening firewall ports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ken Elliott wrote:

>Anyone used Doorman?
>
>http://doorman.sourceforge.net/
>
>The basic idea is called "Port Knocking". The firewall has all ports
>closed, but keeps an eye on what packets hit what ports. On my remote
>laptop, I hit certain ports, in a pre-arranged sequence. The firewall sees
>this and opens a port for inbound traffic from my IP address. When I drop
>the connection, the port is closed.
>
>More on the subject: http://www.portknocking.org/view/about
>
>I'm in the process of trying to build a very robust VPN, and this will allow
>me to keep the ports closed.
>
>
Security by obscurity potentially mixed with a little cryptography. If
you use an algorithm that somehow prevents replay attacks, then you do
have some level of security on top of what you already had.

The problem is that any listening port is also a potential buffer
overflow just waiting to happen. Some daemons, like openssh, have
privilege separation and a number of other prevention mechanisms to
avoid the potential for a buffer overflow attack during the
authentication handshake.

If you add an extra layer in front of that that prevents someone from
accessing your listening port until they have "port knocked" correctly,
you can prevent quite a bit of the casual port probing community.

If your port knocking protocol permits replay attacks, then you really
haven't kept out the most interested folks.

Do I use it? Not yet. But I also don't chain my computers at home inside
of secured tempest safe faraday cages either.

It's all about layers of security and keeping honest people honest.
There is no such thing as perfect security.

- Ian C. Blenke <ian@blenke.com> http://ian.blenke.com/

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.

Next message: Chuck Hast: "Re: [SLUG] NOW: SuSE Gateway WAS: mysql setup"
Previous message: Mario Lombardo: "Re: [SLUG] Migrating from Microsoft to Linux"
In reply to: Ken Elliott: "[SLUG] Doorman - opening firewall ports"
Next in thread: Ken Elliott: "RE: [SLUG] Doorman - opening firewall ports"
Reply: Ken Elliott: "RE: [SLUG] Doorman - opening firewall ports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:30:26 EDT