Posted Mar 5, 2007 23:49 UTC (Mon) by flewellyn
In reply to: Bad Security
Parent article: Single Packet Authorization (Linux Journal)
I partly agree.
Port-knocking itself isn't something I'd heard of before, but as soon as I read the description, I knew it would not work. Even before I read the list of shortcomings in the article, my first thought was, "Umm, what's to be done about replay attacks?" The issues of bandwidth, out-of-order delivery and denial-of-service, which I didn't think of before reading that part, killed the idea for me. Plus, the whole idea of using the port fields for something other than what they are intended -- port numbers -- seems altogether wrong.
SPA, on the other hand, seems like a much better idea. It doesn't use port numbers in a bad and wrong way, it has decent bandwidth, it's designed to circumvent replay issues, and doesn't have the denial-of-service problem. It could be a useful additional layer of security, and I don't see it having any huge problems in theory.
In practice, of course, the SPA server is something programmers need to get right: bugs in the SPA server could either kill network traffic altogether ("block everything!"), or make the SPA layer useless ("block nothing!"). And I think the article should take pains to remind people that this is not a replacement for securing the actual application programs, either; I would be very nervous about someone setting up an SPA server, and then thinking that this made host-level and service-level security unnecessary.
to post comments)