Tuesday, December 2, 2008

Port Knocking


In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically changeded to allow the host which sent the connection attempts to connect over specific port(s).

Leaving a port open to the world is like an temptingness for an intruder.
Unfortunately, most services such as HTTP or SMTP need to be open for everyone to see.However, some of the more vital services may be approachable only when required. Here's where port knocking comes in.

If we are running strongly-evidencing network services (e.g. SSH) on our server, it is likely that we are using the service's authentication and encoding process to discriminate between legitimate and illegitimate users.

The legitimate user has a password and the illegitimate user does not. In order for the service to establish this fact, the illegitimate user is offered a chance to interact with the service.

Given that password guessing methods offer little chance of penetrating a well-defended system,an intruder will try to go around the authentication element of the service and try to bring up their privileges by tapping a known bug, such as a buffer overflow. Since a zero-day exploit that points our service may appear any day,maintaining a network service is not a peaceful activity. We must monitor vulnerability advisories and keep an eye out for patches to plug new security holes. But let's face it - reading advisories is boring, thankless and 99.99% of the time uninformative.

It may be a year or two, or never, before an exploit for a product's version of a service is found and reported. So what can we do?

First, let's consider the fact that services with an limited user base do not need to have their ports open at all times.Unlike public services such as SMTP or HTTP, which need to take in connections from anyone and anywhere and usually do not require authentication, SSH is one such service which permits only password-bearing users in.
Now,imagine being able to keep the SSH port (tcp/22) closed, thus making the service inaccessible and protected from exploits,until the service is actually requested by one of our legitimate users.

But how is this service requested if ports are closed and no connections are possible? This is where port knocking comes in. Port knocking permits a user to request for a port to be opened in front of a network service.This request takes the form of a passive sequence of authentication packets across closed ports on the server

It is possible to send information across closed ports,even if the ports are closed and no network services are listening, because our firewall or another utility like tcpdump can be configured to monitor all incoming packets, even if they never reach an application like SSH.

Limitations of IP filtering



One way to limit the cross-section of our network service is to use an IP filter, like netfilter/iptables. The filter would be configured to only allow connections from IP addresses from which our user base is connecting. This list would include remote offices and homes.

This approach does well to limit the number of sources from which connections are allowed, but is limited in its ability to deal with mobile users or offices/homes for which external IP addresses are dynamically assigned. If our users frequently change computers or networks, it may not be practical to maintain a changing list of IP addresses from which connections are permitted. This is especially true when users try to connect from notoriously untrustworthy locations like Internet cafes or university laboratories.

Using an IP filter makes the assumption that behind a trusted IP address, or network address, are only trusted users.This is clearly not always true, especially when the trusted IP address is a gateway of a large internal network.It's easy to imagine a case in which attacks and legitimate connections originate from the same IP.

Wednesday, November 19, 2008

Lock before Walk


If u want to keep ur data SAFE,lock the system when u r not near ur system

Tuesday, November 11, 2008

Why Is the Internet Insecure?

The Internet is insecure for a variety of reasons.Those factors include
  • Lack of education
  • The Internet's design
  • Proprietarism
  • The trickling down of technology
  • Human nature
Each of these factors contributes in some degree to the Internet's current lack of security.

Lack of education:First we will discuss about this... Do you believe that what you don't know can't hurt you? If you are charged with the responsibility of running an Internet server, you had better not believe it. Education is the single, most important aspect of security, one aspect that has been sorely wanting.

The Internet's design:The Internet is the most remarkable creation ever erected by humankind in this respect. There are dozens of ways to get a job done on the Internet; there are dozens of protocols with which to do it.
Security experts have for years been running back and forth before a dam of information and protocols, plugging the holes with their fingers. Crackers, meanwhile, come armed with icepicks,
testing the dam here, there, and everywhere.

Part of the problem is in the Internet's basic design. Traditionally, most services on the
Internet rely on the client/server model. The task before a cracker, therefore, is a limited
one: Go to the heart of the service and crack that server.

Proprietarism: It is a practice undertaken by commercial vendors in which they attempt to
inject into the Internet various forms of proprietary design. By doing so, they hope to
create profits in an environment that has been previously free from commercial reign. It
is the modern equivalent of Colonialism plus Capitalism in the computer age on the
Internet. It interferes with Internet security structure and defeats the Internet's capability
to serve all individuals equally and effectively.

The trickling down of technology:Today, the average cracker has tools at his or
her disposal that most security organizations use in their work. Moreover, the machines
on which crackers use these tools are extremely powerful, therefore allowing faster and
more efficient cracking.Crackers have become organized, and they maintain a wide variety of
servers on the Internet. These are typically established using free operating systems.Others are more unreliable and may appear at different times via dynamic IP addresses.

Human Nature:Humans are, by nature, a lazy breed. To most users, the
subject of Internet security is boring and tedious. They assume that the security of the
Internet will be taken care of by experts.

There are still two final aspects of human nature that influence the evolution of security on the Internet. Fear is one. Most companies are fearful to communicate with outsiders regarding security.
The last human factor here is curiosity. Curiosity is a powerful facet of human nature that
even the youngest child can understand. One of the most satisfying human experiences is
discovery.
Investigation and discovery are the things that life is really made of. We learn from the moment we are born until the moment that we die, and along that road, every shred of information is useful.
Crackers are not so hard to understand. It comes down to basics: Why is this door is locked? Can I open it? As long as this aspect of human experience remains, the Internet may never be entirely secure. Oh, it will be ultimately be secure enough for credit-card transactions and the like, but someone will always be there to crack it.

Does the Internet Really Need to Be Secure?

Yes. The Internet does need to be secure and not simply for reasons of national security.
Today, it is a matter of personal security.


Can the Internet Be Secure?
Yes. The Internet can be secure. But in order for that to happen, some serious changes
must be made, including the heightening of public awareness to the problem. Most users
still regard the Internet as a toy, an entertainment device that is good for a couple of hours
on a rainy Sunday afternoon. That needs to change in coming years............................

Thanks&Regards
D.R.Sudharsan