SPA is certainly not a silver bullet and is not suitable for many services or network deployments, but using it to secure SSH communications is one area where SPA excels. Many people focus on password cracking attempts through the SSH daemon, and apply thresholds via log monitoring scripts to implement things like "if an IP address has N failed logins within 60 seconds, then automatically firewall off the IP". The problem is that while password security is important, exploiting a software vulnerability rarely has anything to do with finding a weak password. The Gobbles challenge-response exploit from 2002 proved that OpenSSH could be remotely exploited, and there is no password guessing anywhere in sight. The actual vulnerability has of course long since been patched, but a random glance at the Securityfocus vulnerability tracking database shows that there have been recent security issues in some of the latest versions of OpenSSH. This is not meant to pick on OpenSSH; security is really hard, and a defense in depth approach is needed.

The real problem is not about password cracking; the real problem is that SSHD is accessible from arbitrary locations around the globe. Why should some random IP have the privilege of scanning for SSHD, seeing that it is accessible, and then be free to try an exploit (perhaps a new 0-day) against it? If you know that you only need to access SSHD from a limited set of IP addresses, then it is easy to write a firewall policy around these addresses, but what if you are on travel? This is where SPA comes in by maintaining a default-drop firewall stance for all SSH communications. Then, by passively sniffing for specially constructed (that is, encrypted and non-replayed) packets on the wire, the default-drop firewall policy is modified to allow an SSH connection. Details can be found in my USENIX ;login: paper "Single Packet Authorization with Fwknop". There are also two chapters in the book about port knocking and SPA.


What's your take on projects such as IPCop and Sentry Firewall?

Providing an easy to use Linux firewall to the masses is important, and I think IPCop goes a long way to accomplishing this. It looks as though development on Sentry Firewall has stopped, but the goal of the project - a bootable Linux CD that turns your system into a ready-made firewall and IDS - is a great concept. It allows anyone to try out a Linux firewall essentially for free on commodity hardware.

The knowledge barrier to deploying security technologies should be made as low as possible, and this means that ease of use is paramount. Also, not everyone is familiar with Linux as a network security technology, so projects like IPCop and Sentry Firewall help to increase exposure of Linux in this scenario. Finally, I wish to add that IPCop also provides a good firewall solution, and it is compatible with psad (discussed extensively in the book).