Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on."— Presentation transcript:

1 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on

2 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Paradigm A perfectly secure system does not permit any external connections to it Such a computer, though protected, is impractical: A perfectly secure system does not permit any external connections to it Such a computer, though protected, is impractical: Nobody can connect, regardless of their trust level Nobody can connect, regardless of their trust level This essentially describes a computer that is not networked This essentially describes a computer that is not networked These systems are not a lot of fun... These systems are not a lot of fun...

3 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Extension to Paradigm Trusted user sees “a live host” Trusted user sees “a live host” Permits connections from user to server Permits connections from user to server Untrusted user sees “a dead host” Untrusted user sees “a dead host” Connections to server are blocked Connections to server are blocked How do we discriminate between trusted and untrusted users? Today this is done by Firewalls/VPN's

4 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Limitations Firewalls authorize access by IP address. Problems: Firewalls authorize access by IP address. Problems: Dynamic addresses Dynamic addresses Roaming users Roaming users VPN's authorize by authentication. Problems: VPN's authorize by authentication. Problems: Needs complicated software (VPN client) Needs complicated software (VPN client) VPN is per-network and not per-service VPN is per-network and not per-service Port knocking to the rescue!

5 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Introduction 1/4 This illustration shows a server which is running four services and which has no Firewall This illustration shows a server which is running four services and which has no Firewall All ports are open All ports are open Remote computers will successfully connect to four ports: ftp/21, smtp/25, http/80 and pop/110 Remote computers will successfully connect to four ports: ftp/21, smtp/25, http/80 and pop/110

6 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Introduction 2/4 Firewalled Server listens on port ssh/22 Firewalled Server listens on port ssh/22 Connections to the server are seamlessly blocked to all users Connections to the server are seamlessly blocked to all users However, once a user completes a port knocking sequence, connections are allowed However, once a user completes a port knocking sequence, connections are allowed

7 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Introduction 3/4 Port knocking is a method of establishing a connection to a networked computer that has no open ports Port knocking is a method of establishing a connection to a networked computer that has no open ports Before a connection is established, ports are opened using a port knock sequence, which is a series of connection attempts to closed ports Before a connection is established, ports are opened using a port knock sequence, which is a series of connection attempts to closed ports A remote host generates and sends an authentic knock sequence in order to manipulate the server's firewall rules to open one or more specific ports A remote host generates and sends an authentic knock sequence in order to manipulate the server's firewall rules to open one or more specific ports

8 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Introduction 4/4 These manipulations are mediated by a port knock daemon, running on the server, which monitors the firewall log file for connection attempts which can be translated into authentic knock sequences These manipulations are mediated by a port knock daemon, running on the server, which monitors the firewall log file for connection attempts which can be translated into authentic knock sequences Once the desired ports are opened, the remote host can establish a connection and begin a session. Another knock sequence may used to trigger the closing of the port Once the desired ports are opened, the remote host can establish a connection and begin a session. Another knock sequence may used to trigger the closing of the port

9 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking What is it good for? Port knocking is best for hosts that provide services to authorized users who require continual access to services and data from any location Port knocking is best for hosts that provide services to authorized users who require continual access to services and data from any location Port knocking is not suitable for hosts running public services, such as SMTP or HTTP Port knocking is not suitable for hosts running public services, such as SMTP or HTTP Port knocking is used to keep all ports closed to public traffic while flexibly opening and closing ports to traffic from users who have authenticated themselves with a knock sequence Port knocking is used to keep all ports closed to public traffic while flexibly opening and closing ports to traffic from users who have authenticated themselves with a knock sequence

10 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking What else? This on-demand IP-based filtering which is triggered by a remote user can offers the advantages of IP- based filtering without the limitation usually associated with maintaining IP rules This on-demand IP-based filtering which is triggered by a remote user can offers the advantages of IP- based filtering without the limitation usually associated with maintaining IP rules

11 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking What isn’t it? Port knocking cannot be used to protect public services - such protection cannot be effective if the knock sequence, or a method to generate it, is made public Port knocking cannot be used to protect public services - such protection cannot be effective if the knock sequence, or a method to generate it, is made public

12 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Why is it so exciting? Port knocking is not a listening service – it is not exposed to network attacks Port knocking is not a listening service – it is not exposed to network attacks There is no way to detect a port- knocking server (unlike a firewall that can be detected) There is no way to detect a port- knocking server (unlike a firewall that can be detected) The port seems closed – because they are closed! The port seems closed – because they are closed! In security, simple mechanism = less probability for weaknesses In security, simple mechanism = less probability for weaknesses

13 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Why not just a Firewall? Firewalls define and limit the communication possible within a network Firewalls define and limit the communication possible within a network System administrators tend to be paranoid (good!) and need to enforce limits to help monitoring and troubleshooting System administrators tend to be paranoid (good!) and need to enforce limits to help monitoring and troubleshooting Unless you are very familiar with your operating system, you may not be aware of all the services running on your computer Unless you are very familiar with your operating system, you may not be aware of all the services running on your computer

14 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Summarize Port knocking can be used whenever there is a need to transfer information across closed ports Port knocking can be used whenever there is a need to transfer information across closed ports The port knock daemon can be implemented to respond in any suitable way to an authentic port knock The port knock daemon can be implemented to respond in any suitable way to an authentic port knock The knock may be used to communicate the knock information silently and/or to trigger an action. This is a form of IP over closed ports The knock may be used to communicate the knock information silently and/or to trigger an action. This is a form of IP over closed ports

15 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Simple Implementation The simplest implementation of port knocking uses a log file to interface with the firewall software The simplest implementation of port knocking uses a log file to interface with the firewall software This simple approach makes port knocking highly accessible for home users This simple approach makes port knocking highly accessible for home users The protected services do not require any modification The protected services do not require any modification This form of port knocking is relatively easy to set up This form of port knocking is relatively easy to set up

16 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Best Practice Port knocking is ideally suitable for remote administration provided by a latent, on-demand SSH service. In other cases port knocking may not be the right answer Port knocking is ideally suitable for remote administration provided by a latent, on-demand SSH service. In other cases port knocking may not be the right answer

17 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Some History cd00r / SAdoor cd00r / SAdoor cd00r.c and SAdoor are working proof-of- concept codes for a not listening remote shell on UN*X systems cd00r.c and SAdoor are working proof-of- concept codes for a not listening remote shell on UN*X systems A listener in non-promiscuous mode looking for a specific sequence of packets before actually opening any kind of listener. A listener in non-promiscuous mode looking for a specific sequence of packets before actually opening any kind of listener. This sequence can be any kind of IP traffic for obscurity This sequence can be any kind of IP traffic for obscurity Used primarily as stealth backdoors Used primarily as stealth backdoors

18 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking What is needed? knockclient knockclient a port knocking client responsible for sending knocks to remote firewall where a knockdaemon is listening a port knocking client responsible for sending knocks to remote firewall where a knockdaemon is listening knockdaemon knockdaemon a port knocking server responsible for monitoring and responding to incoming knocks generated by knockclient a port knocking server responsible for monitoring and responding to incoming knocks generated by knockclient

19 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Port Knocking Client “Flavors” There are port knocking implementations in Perl, C/C++, Java, python and even BASH There are port knocking implementations in Perl, C/C++, Java, python and even BASH The easiest to implement is Python, Perl and BASH The easiest to implement is Python, Perl and BASH The implementation use the logs generated by IPTABLES to discover when someone knocked on the Firewall in the right way The implementation use the logs generated by IPTABLES to discover when someone knocked on the Firewall in the right way

20 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking What’s next? 1/3 Suppose you have a networked system and you need to connect using ssh Suppose you have a networked system and you need to connect using ssh To close all other ports, use: To close all other ports, use: ipchains -p tcp -s 0/0 -d FIREWALL/32 -p 0:1023 -j DENY -l ipchains -p tcp -s 0/0 -d FIREWALL/32 -p 1024:49151 -j DENY Each connection attempt will be logged: Each connection attempt will be logged: Feb 12 00:13:26... input DENY... CLIENT:64137 FIREWALL:102... Feb 12 00:13:27... input DENY... CLIENT:64138 FIREWALL:100... Feb 12 00:13:27... input DENY... CLIENT:64139 FIREWALL:100... Feb 12 00:13:28... input DENY... CLIENT:64140 FIREWALL:103...

21 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking What’s next? 2/3 A daemon monitoring the log file can detect these connection attempts to ports 102, 100, 100, 103 from the same IP address A daemon monitoring the log file can detect these connection attempts to ports 102, 100, 100, 103 from the same IP address This particular port sequence could trigger the daemon to open port ssh/22 This particular port sequence could trigger the daemon to open port ssh/22 The daemon would execute the following command The daemon would execute the following command ipchains -I input -p tcp -s CLIENT/32 -d FIREWALL/32 22 -j ACCEPT

22 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking What’s next 3/3 Another sequence can be used to close the port Another sequence can be used to close the port For example, 103, 100, 100, 102 could be used to trigger the deletion of the rule that was dynamically created to allow CLIENT to connect For example, 103, 100, 100, 102 could be used to trigger the deletion of the rule that was dynamically created to allow CLIENT to connect ipchains -D input -p tcp -s CLIENT/32 -d FIREWALL/32 22 -j ACCEPT In this example, a remote user has opened port ssh/22 to IP address CLIENT by making TCP connections to ports 102, 100, 100, 103 and subsequently closed the ssh/22 port to their IP by knocking on ports 103, 100, 100, 102 In this example, a remote user has opened port ssh/22 to IP address CLIENT by making TCP connections to ports 102, 100, 100, 103 and subsequently closed the ssh/22 port to their IP by knocking on ports 103, 100, 100, 102

23 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Enhancements Encrypted Port Knocks Encrypted Port Knocks The 4-port knocks in the previous example provided limited protection against packet sniffing, since the knock was independent of the connecting IP address The 4-port knocks in the previous example provided limited protection against packet sniffing, since the knock was independent of the connecting IP address Anyone on the network looking at packets could reconstruct the sequence and use it to gain access to the ssh/22 port Anyone on the network looking at packets could reconstruct the sequence and use it to gain access to the ssh/22 port In order to reduce the risk of the knock being deconstructed and gainfully executed by a third-party, it should contain the client IP address and be encrypted In order to reduce the risk of the knock being deconstructed and gainfully executed by a third-party, it should contain the client IP address and be encrypted

24 www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Questions? noamr@beyondsecurity.com

Download ppt "Www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
A “Dynamic” Firewall Jon Hillier Oxford University/ eScience Centre.

A “Dynamic” Firewall Jon Hillier Oxford University/ eScience Centre.
Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Introduction to Firewall Technologies. Objectives Upon completion of this course, you will be able to: Understand basic concepts of network security Master.

Introduction to Firewall Technologies. Objectives Upon completion of this course, you will be able to: Understand basic concepts of network security Master.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Firewalls: General Principles & Configuration (in Linux)

Firewalls: General Principles & Configuration (in Linux)
Networking Components Chad Benedict – LTEC 4550 1.

Networking Components Chad Benedict – LTEC
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Similar presentations

Ads by Google