RE: [SLUG] Doorman - opening firewall ports

From: Ken Elliott (kelliott4@tampabay.rr.com)
Date: Fri Dec 30 2005 - 19:17:00 EST


>> The problem is that any listening port is also a potential buffer
overflow just waiting to happen.

Not a problem. The home machine is sitting idle. As it is, I have no
access. My application is to provide remote access that I currently do not
have, to a different PC (not the firewall).

>> If you add an extra layer in front of that that prevents someone from
accessing your listening port until they have "port knocked" correctly, you
can prevent quite a bit of the casual port probing community.

Hmmm.... Brain cells not connecting with this. Could be the Merlot....

>> Do I use it? Not yet. But I also don't chain my computers at home inside
of secured tempest safe faraday cages either.

I lost the key to my faraday cage, thus unable to report the uptime of the
HP-UX box contained within.
 
Thanks for your comments and insight. It would appear that I need to study
this a bit more.

Ken Elliott

=====================
-----Original Message-----
From: slug@nks.net [mailto:slug@nks.net] On Behalf Of Ian C. Blenke
Sent: Friday, December 30, 2005 6:08 PM
To: slug@nks.net
Subject: Re: [SLUG] Doorman - opening firewall ports

Ken Elliott wrote:

>Anyone used Doorman?
>
>http://doorman.sourceforge.net/
>
>The basic idea is called "Port Knocking". The firewall has all ports
>closed, but keeps an eye on what packets hit what ports. On my remote
>laptop, I hit certain ports, in a pre-arranged sequence. The firewall
>sees this and opens a port for inbound traffic from my IP address.
>When I drop the connection, the port is closed.
>
>More on the subject: http://www.portknocking.org/view/about
>
>I'm in the process of trying to build a very robust VPN, and this will
>allow me to keep the ports closed.
>
>
Security by obscurity potentially mixed with a little cryptography. If you
use an algorithm that somehow prevents replay attacks, then you do have some
level of security on top of what you already had.

The problem is that any listening port is also a potential buffer overflow
just waiting to happen. Some daemons, like openssh, have privilege
separation and a number of other prevention mechanisms to avoid the
potential for a buffer overflow attack during the authentication handshake.

If you add an extra layer in front of that that prevents someone from
accessing your listening port until they have "port knocked" correctly, you
can prevent quite a bit of the casual port probing community.

If your port knocking protocol permits replay attacks, then you really
haven't kept out the most interested folks.

Do I use it? Not yet. But I also don't chain my computers at home inside of
secured tempest safe faraday cages either.

It's all about layers of security and keeping honest people honest.
There is no such thing as perfect security.

 - Ian C. Blenke <ian@blenke.com> http://ian.blenke.com/

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages posted
are those of the author and do not necessarily reflect the official policy
or position of NKS or any of its employees.

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:30:46 EDT