Posted Mar 6, 2007 1:03 UTC (Tue) by ArbitraryConstant
Parent article: Single Packet Authorization (Linux Journal)
I share the skepticism of others here.
Port knocking isn't a security solution, it's for when your ISP will get angry with you if you have servers listening for connections. It's still trivial for traffic analysis to figure out what you're up to, so I'm not convinced of the value even then; if port knocking will fool them, so will listening on 1024+.
When it's a matter of security and a proper VPN isn't an option for whatever reason, I use AuthPF, and I'm sure something similar is available through Linux. It uses SSH for authentication and keepalives.
The post argues that even SSH is sometimes vulnerable, but as others have mentioned, everything is sometimes vulnerable. A port knocking implementation won't be any less so. At least with SSH, patches are needed only infrequently, and they're usually available quickly when needed.
The problem with this is that it is the most secure port knocking implementation you're ever likely to get, but the connections you make past the firewall are still subject to the risks associated with going over the Internet in the clear, and if you're NATing or someone can spoof your IP, you're still vulnerable. There's only one solution that's actually resistant to a determined attack, and that's cryptographically secure authentication and communication. SSH tunnels and VPNs are the answer for this, not port knocking.
I simply don't see the benefit. Whatever permutation you're looking at, there's either an easier way or a more secure way, depending on your priorities.
to post comments)