Re: [SLUG] Re: Doorman - opening firewall ports

From: Ken Elliott (kelliott4@tampabay.rr.com)
Date: Sat Jan 07 2006 - 12:58:06 EST


>> if you go to hamachi.cc they have a great zeroconf vpn system...

Yes, but it was down the other day. If their server is down, you cannot
connect to your host. Otherwise, it is great.

I'm also looking at OpenVPN, and was thinking of combining port knocking
for the somewhat better security vs. leaving ports open. I know it is
subjected to a replay attack, but that just gets them past the first
fence. Besides, its just a way to get to a box on my DMZ.

Ken Elliott

.......................

On Mon, 2006-01-02 at 20:44 -0500, Robert Snyder wrote:
> Sick Twist wrote:
>
> >> From: Levi Bard <taktaktaktaktaktaktaktaktaktak@gmail.com>
> >> Reply-To: slug@nks.net
> >> To: slug@nks.net
> >> Subject: [SLUG] Re: Doorman - opening firewall ports
> >> Date: Mon, 2 Jan 2006 09:09:57 -0600
> >>
> >> I'm basically against portknocking as a security layer. It's the kind
> >> of security-by-obscurity thing that will give people a false sense of
> >> safety while it in fact does little or nothing at all. The only port
> >> knocking implementations I've seen that attempt to block replay
> >> attacks use onetime pads for the port sequences, but if you're going
> >> to use onetime pads, you may as well use them for authentication and
> >> cut out the middleman. One of my previous employers ran a onetime pad
> >> authenticator on a high port - until you authenticated with that
> >> service, everything was closed to you. Once you authenticated, your
> >> allowed set of ports was opened to the IP from which you
> >> authenticated, as long as you kept the auth connection open and
> >> active. Less convoluted than port knocking, and at least as secure.
> >>
> >> > If your port knocking protocol permits replay attacks, then you really
> >> > haven't kept out the most interested folks.
> >>
> >> Or *any* of the folks who would have been able to realistically
> >> compromise the system.
> >
> >
> > If you're previous employer ran an authenticator on a high port,
> > doesn't that mean that the port was open for the world to see? If so,
> > that open port would indicate that there was in fact a host at the
> > given IP address.
> >
> > If I understand port knocking correctly, the neat thing about it is
> > that the server is completely invisible (no open ports at all) unless
> > the correct "knock" is sent. It's a neat idea and one that I wasn't
> > familiar with until it came up on this list. I agree that other
> > safeguards should certainly be in place, but doorman seems like it
> > would be quite useful.
> >
> > -Jonathon
> >
> >
>
> Now there is a solution that I rather like if you are just looking to
> connect to a machine safely for xyz service.
>
> if you go to hamachi.cc they have a great zeroconf vpn system that
> gives you a virtual ip in a range of ips that been reserved by IANA but
> never used (5.x.x.x.) It transverse firewalls and Nat routers but can
> not transverse a Proxy if you are behind one.) what is great about this
> is it uses standard ipsec security, so you get AES 256 bit encription.
> it also easy to use and it works on linux and windows the linux version
> now has a gtk gui for it ( gui found in forums for download)
>
>
> great thing is only the machines that you put in your password protected
> virtual network have access so you really dont have to worry about
> leaving ports open.
> -----------------------------------------------------------------------
> This list is provided as an unmoderated internet service by Networked
> Knowledge Systems (NKS). Views and opinions expressed in messages
> posted are those of the author and do not necessarily reflect the
> official policy or position of NKS or any of its employees.

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:11:05 EDT