Firewall administrators are challenged to balance flexibility and security when designing a comprehensive rule set. A firewall should provide protection against malfeasants, while allowing trusted users to connect. Unfortunately, it is not always possible to filter out the bad guys, because filtering on the basis of IP addresses and ports does not distinguish connecting users. Bad guys can and do come from trusted IP addresses. Open ports remain a necessary vulnerability: they allow connections to applications but also may turn into open doors for attack. This article presents a new security system, termed port knocking, in which trusted users manipulate firewall rules by transmitting information across closed ports.
Briefly, users make connection attempts to sequences of closed ports. The failed connections are logged by the server-side packet filtering firewall and detected by a dæmon that monitors the firewall log file. When a properly formatted knock sequence, playing the role of the secret used in the authentication, is received, firewall rules are manipulated based on the information content of the sequence. This user-based authentication system is both robust, being mediated by the kernel firewall, and stealthy--it's not possible to detect whether a networked machine is listening for port knocks. Port knocking does not require any open ports, and it can be extended to transmit any type of information encoded in a port sequence.
[ Read more ]
- Review: SonicWALL Pro (9 June 2003)
- Article: Interview with Lisa Yeo, author of "Personal Firewalls for Administrators and Remote Users" (30 March 2003)
- Review: Personal Firewalls for Administrators and Remote Users (13 March 2003)
- Article: Interview with Aviel Rubin, Computer Science Professor at Johns Hopkins University and Technical Director of the JHU Information Security Institute (26 February 2003)
- Review: Firewalls and Internet Security: Repelling the Wily Hacker 2/e (30 January 2003)
- Review: Cisco Secure PIX Firewalls (28 January 2003)