fwknop: Single Packet Authorization and Port Knocking
Port Knocking is something I consider to be, “security through obscurity,” so I haven’t really paid any attention to it aside from mentioning it in my lectures when it comes up. I see to many flaws in the idea to even consider it feasible.
Today in one of my feeds I read a post over at Darknet about an implementation on Port Knocking that uses SPA and integrates with iptables and ipfw. Now I can say it has my attention, for at least the 15 minutes that lasts. You can get more info on fknop, which stands for “FireWall KNock OPerator” on the CypherDyne site. It’s a Perl script that was release back in 2004. I know using SPA with Port Knocking isn’t new but it’s new to me.
If you get Hacki9 Magizine, fwknop was discussed in the September issue. Which is the reason it has been brought back into the light. Per the Port Knocking Website you can find about 50+ implementations of Port Knocking.
The author of the tool is Michael Rash a Security Researcher and the guy who wrote “Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort”, No Starch Press. fwknop and a few others implementation will be added to my “round-to-it folder” of things to demo.
I know Port Knocking is relatively new and I don’t think it’s appropriate for enterprise use IMHO. But I did find an article on CIO magazine, You Can Hide So SOA Won’t Run about using PK in the enterprise space. I would suggest PK maybe if you need to hide your home VPN server from your evil ISP. But that is about the furthest I would take it. I know you can make the agrument that this method could be another layer of the usual “defense in depth” mantra but I think it would not be worth it in the long run.
As always I would like to hear from those using both this tool and Port Knocking in general. Please post in the comments your thoughts on the validity of Port Knocking and if I’m wrong calling it “security through obscurity.”
