RE: [SLUG] Re: Doorman - opening firewall ports

• Next message: Robert Snyder: "Re: [SLUG] Re: Doorman - opening firewall ports"
• Previous message: Paul M Foster: "[SLUG] Suncoast LUG Meetings"
• In reply to: Levi Bard: "[SLUG] Re: Doorman - opening firewall ports"
• Next in thread: Robert Snyder: "Re: [SLUG] Re: Doorman - opening firewall ports"
• Reply: Robert Snyder: "Re: [SLUG] Re: Doorman - opening firewall ports"
• Reply: Levi Bard: "[SLUG] Re: Doorman - opening firewall ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>From: Levi Bard <taktaktaktaktaktaktaktaktaktak@gmail.com>
>Reply-To: slug@nks.net
>To: slug@nks.net
>Subject: [SLUG] Re: Doorman - opening firewall ports
>Date: Mon, 2 Jan 2006 09:09:57 -0600
>
>I'm basically against portknocking as a security layer. It's the kind
>of security-by-obscurity thing that will give people a false sense of
>safety while it in fact does little or nothing at all. The only port
>knocking implementations I've seen that attempt to block replay
>attacks use onetime pads for the port sequences, but if you're going
>to use onetime pads, you may as well use them for authentication and
>cut out the middleman. One of my previous employers ran a onetime pad
>authenticator on a high port - until you authenticated with that
>service, everything was closed to you. Once you authenticated, your
>allowed set of ports was opened to the IP from which you
>authenticated, as long as you kept the auth connection open and
>active. Less convoluted than port knocking, and at least as secure.
>
> > If your port knocking protocol permits replay attacks, then you really
> > haven't kept out the most interested folks.
>
>Or *any* of the folks who would have been able to realistically
>compromise the system.

If you're previous employer ran an authenticator on a high port, doesn't
that mean that the port was open for the world to see? If so, that open port
would indicate that there was in fact a host at the given IP address.

If I understand port knocking correctly, the neat thing about it is that the
server is completely invisible (no open ports at all) unless the correct
"knock" is sent. It's a neat idea and one that I wasn't familiar with until
it came up on this list. I agree that other safeguards should certainly be
in place, but doorman seems like it would be quite useful.

-Jonathon

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.

• Next message: Robert Snyder: "Re: [SLUG] Re: Doorman - opening firewall ports"
• Previous message: Paul M Foster: "[SLUG] Suncoast LUG Meetings"
• In reply to: Levi Bard: "[SLUG] Re: Doorman - opening firewall ports"
• Next in thread: Robert Snyder: "Re: [SLUG] Re: Doorman - opening firewall ports"
• Reply: Robert Snyder: "Re: [SLUG] Re: Doorman - opening firewall ports"
• Reply: Levi Bard: "[SLUG] Re: Doorman - opening firewall ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:58:37 EDT