Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authors Universitatea Politehnica București Facultatea de Automatică și Calculatoare Catedra de Calculatoare Extension of a port knocking client- server.

Published byNeal Palmer Modified over 8 years ago

Similar presentations

Presentation on theme: "Authors Universitatea Politehnica București Facultatea de Automatică și Calculatoare Catedra de Calculatoare Extension of a port knocking client- server."— Presentation transcript:

1 Authors Universitatea Politehnica București Facultatea de Automatică și Calculatoare Catedra de Calculatoare Extension of a port knocking client- server architecture with NTP synchronization Traian Popeea, Vladimir Olteanu Laura Gheorghe, R ă zvan Rughiniș { traian.popeea,vladimir.olteanu}@cti.pub.ro {laura.gheorghe,razvan.rughinis}@cs.pub.ro

2 Outline Introduction Key words Objectives Architecture Technologies Solution Testing Problems Encountered Conclusions Questions 14.06.2016RoEduNet Conference 20112

3 Introduction Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. It has many disadvantages, as the server is left defenseless if the knock sequence is determined by the attacker 14.06.2016RoEduNet Conference 20113

4 Key words Networking Security Port-knocking One-way functions NTP Client-server architecture 14.06.2016RoEduNet Conference 20114

5 Objectives Implement a software application that will meet the following requirements: – Will provide dynamic knock sequences. – Will synchronize server and clients through NTP. – Will generate strong knock sequences through the use of one-way functions. – Will provide different knock sequences for different ports to be opened. 14.06.2016RoEduNet Conference 20115

6 Architecture 14.06.2016RoEduNet Conference 20116

7 Technologies C OpenSSL NTP 14.06.2016RoEduNet Conference 20117

8 Solutions Using an external NTP client (available on every *nix system) for time synchronization at the initialization of the server and clients A pre-shared initial key generated through the OpenSSL library using user-generated entropy A hash function based on PSK, time, source IP address, destination port A sequence of ports determined based on the hash function (splitting the 512-bit hash in 16-bit numbers representing ports) 14.06.2016RoEduNet Conference 20118

9 Testing Generating 1 million keys 14.06.2016RoEduNet Conference 20119 Function512 bits2048 bits md51.163s3.744s sha2563.765s13.197s sha5122.759s8.823s

10 Problems Encountered Public NTP servers are DoS-proof not allowing repeated requests at small time intervals => one initial synchronization followed by system clock queries The sharing of the PSK must be made out-of- program Determining the knock sequence lifespan Clients behind NAT do not have access (source address) 14.06.2016RoEduNet Conference 201110

11 Conclusions Another layer of security is added with the help of synchronization and cryptography. The number of attacks that can be performed is reduced. Using hash functions does not imply a significant latency. 14.06.2016RoEduNet Conference 201111

12 References M. Krzywinski, “Port Knocking: Network Authentication Across Closed Ports”. SysAdmin 2003. Magazine 12: pp 12-17 S. Krivis, “Port Knocking: Helpful or Harmful? – An Exploration of Modern Network Threats”, GIAC Security Essentials Certification, 2004, unpublished M. Doyle, “Implementing a Port Knocking System In C”, An Honors Thesis submitted in partial fulfillment of the requirements for Honors Studies in Physics, J. William Fulbright College of Arts and Sciences, The University of Arkansas, 2004 14.06.2016RoEduNet Conference 201112

13 Thank you! Questions? 14.06.2016RoEduNet Conference 201113

Download ppt "Authors Universitatea Politehnica București Facultatea de Automatică și Calculatoare Catedra de Calculatoare Extension of a port knocking client- server."

Similar presentations

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Instant Messenger Security with a focus on implementing security policies in corporate IM services Kaushal S Chandrashekar CS 691 Dr. Edward Chow UCCS.

Instant Messenger Security with a focus on implementing security policies in corporate IM services Kaushal S Chandrashekar CS 691 Dr. Edward Chow UCCS.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Kerberos Assisted Authentication in Mobile Ad-hoc Networks Authors: Asad Amir Pirzada and Chris McDonald Sources: Proceedings of the 27th Australasian.

Kerberos Assisted Authentication in Mobile Ad-hoc Networks Authors: Asad Amir Pirzada and Chris McDonald Sources: Proceedings of the 27th Australasian.
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
PEER-TO-PEER Is a type of network in which each workstation has equivalent capabilities and responsibilities. This differs from client/server architectures,

PEER-TO-PEER Is a type of network in which each workstation has equivalent capabilities and responsibilities. This differs from client/server architectures,
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Page # Advanced Telecommunications/Information Distribution Research Program (ATIRP) Authentication Scheme for Distributed, Ubiquitous, Real-Time Protocols.

Page # Advanced Telecommunications/Information Distribution Research Program (ATIRP) Authentication Scheme for Distributed, Ubiquitous, Real-Time Protocols.
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
APPLAUS: A Privacy-Preserving Location Proof Updating System for Location-based Services Zhichao Zhu and Guohong Cao Department of Computer Science and.

APPLAUS: A Privacy-Preserving Location Proof Updating System for Location-based Services Zhichao Zhu and Guohong Cao Department of Computer Science and.
Transport Layer Flow. Socket Connections UDP Segment Structure.

Transport Layer Flow. Socket Connections UDP Segment Structure.
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
Www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.

Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Similar presentations

Ads by Google