Tuesday, December 2, 2008
Port Knocking
In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically changeded to allow the host which sent the connection attempts to connect over specific port(s).
Leaving a port open to the world is like an temptingness for an intruder.
Unfortunately, most services such as HTTP or SMTP need to be open for everyone to see.However, some of the more vital services may be approachable only when required. Here's where port knocking comes in.
If we are running strongly-evidencing network services (e.g. SSH) on our server, it is likely that we are using the service's authentication and encoding process to discriminate between legitimate and illegitimate users.
The legitimate user has a password and the illegitimate user does not. In order for the service to establish this fact, the illegitimate user is offered a chance to interact with the service.
Given that password guessing methods offer little chance of penetrating a well-defended system,an intruder will try to go around the authentication element of the service and try to bring up their privileges by tapping a known bug, such as a buffer overflow. Since a zero-day exploit that points our service may appear any day,maintaining a network service is not a peaceful activity. We must monitor vulnerability advisories and keep an eye out for patches to plug new security holes. But let's face it - reading advisories is boring, thankless and 99.99% of the time uninformative.
It may be a year or two, or never, before an exploit for a product's version of a service is found and reported. So what can we do?
First, let's consider the fact that services with an limited user base do not need to have their ports open at all times.Unlike public services such as SMTP or HTTP, which need to take in connections from anyone and anywhere and usually do not require authentication, SSH is one such service which permits only password-bearing users in.
Now,imagine being able to keep the SSH port (tcp/22) closed, thus making the service inaccessible and protected from exploits,until the service is actually requested by one of our legitimate users.
But how is this service requested if ports are closed and no connections are possible? This is where port knocking comes in. Port knocking permits a user to request for a port to be opened in front of a network service.This request takes the form of a passive sequence of authentication packets across closed ports on the server
It is possible to send information across closed ports,even if the ports are closed and no network services are listening, because our firewall or another utility like tcpdump can be configured to monitor all incoming packets, even if they never reach an application like SSH.
Limitations of IP filtering
One way to limit the cross-section of our network service is to use an IP filter, like netfilter/iptables. The filter would be configured to only allow connections from IP addresses from which our user base is connecting. This list would include remote offices and homes.
This approach does well to limit the number of sources from which connections are allowed, but is limited in its ability to deal with mobile users or offices/homes for which external IP addresses are dynamically assigned. If our users frequently change computers or networks, it may not be practical to maintain a changing list of IP addresses from which connections are permitted. This is especially true when users try to connect from notoriously untrustworthy locations like Internet cafes or university laboratories.
Using an IP filter makes the assumption that behind a trusted IP address, or network address, are only trusted users.This is clearly not always true, especially when the trusted IP address is a gateway of a large internal network.It's easy to imagine a case in which attacks and legitimate connections originate from the same IP.
Labels:
buffer overflow,
intruder,
ip filter,
iptables,
Knocking,
netfilter,
Port,
zero-day exploit
Subscribe to:
Posts (Atom)