Bill Bumgarner

2004-2-6

Port Knocking

Seems that a lot of folks are all excited about port knocking. To summarize: a client that wants to talk to a server behind a firewall would first "knock" on the firewall by directing packets to closed ports on the firewall in a particular sequence. Only after hitting the appropriate ports in the correct sequence within a certain amount of time will the firewall allow the client to pass traffic through to a particular service behind the firewall.

This from the crowd of folks who are the first to cry foul when a company claims security through obscurity as a feature? I keep looking for the punch line.

This is just an obscurity hack. A clever obscurity hack, certainly.

To be fair, the site addresses the security through obscurity criticism. The claim is that because "knocking" on closed ports doesn't cause a stateful exchange, there is no way for the "hacking client" know that port knocking is being used.

But what about a good network sniffer? It would be trivial to modify any random sniffer [for which source is available] to look for the pattern of ports used to "knock" on the firewall.

There are, of course, all kinds of fun things that could be layered on top of "port knocking" to make it harder to crack, but it is still largely an exercise in obscuring the means of access.

The authors of that site also mention that Port knocking can generalize beyond protection of ports to transfer of data across closed ports.

Everytime I have been directly or indirectly involved in cleaning up after a succesful hack, the means of access always boiled down to one of two causes:

1. failure to patch the system such that known vulnerabilities were exploited

2. security breach as the result of social engineering or packet sniffing that revealed a password, often to a non-critical service (see #1).

The site suggest that the knock should be encrypted to make it more difficult to deconstruct. Sure, that'll prevent someone who stole the file containing the knock from reading it, but it does zero for protecting the knock when it is "on the wire" between client/server. At that point, it is just TCP/IP traffic and is quite easily "sniffable".

Then there is the issue of compatibility. Given that the silly thing sends a series of relatively random packets on a relatively random sequence of ports with zero client side acknowledgement that anything happened, good or bad, one decently configured firewall or proxy server in between client and server will render it useless.

And what happens in the face of various random port scanning or other sources of relatively random traffic? Since there is no acknowledgement provided to the client that any given part of the "knock" has been received, it makes the entire system extremely fragile. It would be trivial to shut down a servers "knockable firewall" through a white noise style packet generator that pings random ports.

Comment on this post [ so far] ... more like this: [Technology]