LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

The sad story of the em28xx driver

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Single Packet Authorization (Linux Journal)

Single Packet Authorization (Linux Journal)

Posted Mar 6, 2007 15:32 UTC (Tue) by bronson (subscriber, #4806)
In reply to: Single Packet Authorization (Linux Journal) by tialaramex
Parent article: Single Packet Authorization (Linux Journal)

"you can hide the entire machine, rather than just a service port, by simply neglecting to publicise its existence."

Once that machine emits a single packet (of ANY type), its cover is blown. That doesn't sound like very effective security to me.

(Log in to post comments)

Single Packet Authorization (Linux Journal)

Posted Mar 7, 2007 9:32 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

Earlier in these same comments you seemed to understand that there are two major categories of attacker.

Script kiddies can't search 2^128 addresses, or even the much smaller but still vast IPv6 range actually allocated and in service, nor can a worm. On the whole the script kiddies aren't very smart, but if they persist in scanning anyway they're just wasting their time and a little bit of everyone's bandwidth until they learn better. Script kiddies don't have access to your traffic logs, or an optical splitter in your ISPs fibre, so they can't tell when your machine "emits a single packet". So IPv6 makes Internet scale scanning go away. That means no false alarms, packets arriving at your machines were directed at you, not just sent to randomly generated IP addresses.

Sophisticated attackers probably aren't interested in you. If they are, the thing keeping you safe is SSH itself, and if you have a vulnerability then they doubtless know about it and will be inside your network before you even read the security advisory. Port knocking is, if anything, adding to the cracks in the wall.

I find it odd that you seem to claim maintaining complicated "knocking" rituals for every server is less effort than managing SSH public key crypto. If you really meant that you don't have any security at all inside your network and rely on port knocking to protect a /gateway/ machine, then might I suggest that you manage SSH public key crypto just for that machine (and get some more security)?

Single Packet Authorization (Linux Journal)

Posted Mar 7, 2007 16:31 UTC (Wed) by bronson (subscriber, #4806) [Link]

A few thoughts...

If you're saying that hiding a machine deep in IPv6 space is poor security, just like port knocking is poor security, then we are in agreement. :)

I use the same knock sequence on every server. Port knocking is bad security, why pretend otherwise? But, here's the thing: even a simple, static 3-port sequence significantly raises the bar to touching the good security. With port knocking, when I see multiple failed login attempts in my logs, I know that something is wrong and I'll bring the heavy immediately.

Port knocking is not about adding more security. It's about eliminating the noise that would otherwise hide a determined attacker.

As I said before, I do have pubkey login on every ssh machine I maintain. We pubkey users seem to be a tiny minority, unfortunately. I was just explaining why I think that many admins either don't do it or, if they try, do it badly. It's takes forethought to securely scale up to many admins on many machines. It isn't plug-and-chug.

Because port knocking can be done entirely with iptables rules, it doesn't need to add appreciably to your threat surface. It just adds the 'recent' module, which seems to be a well written module. SPA, with its dedicated listening daemon, adds significantly to your threat surface. A quick google search finds this article, which appears to be good but isn't the one I followed: http://www.soloport.com/iptables.html .

Here's a much more thorough treatement that I just found: http://web.mac.com/s.j/iWeb/Security/Port%20Knocking%20an... I haven't read the whole thing yet but, reading the conclusion, I think Sebastien Jeanquier is spot on.

Does that make my position a little more clear?

Single Packet Authorization (Linux Journal)

Posted Mar 7, 2007 18:28 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

Yes, your position is more clear, I think we're pretty much on the same wavelength about what the problems are and the extent to which different techniques are appropriate, it's just that I don't agree with your choice of solution (although I agree it's working for you). I prefer elegant solutions, and I see sparse addresses as elegant while secret handshakes are not. I haven't any data as to which is more effective in practice.

Adding "more" iptables rules would constitute a non-negligible increase in attack surface for me because I don't currently use, or intend to use, iptables. Of course you could argue that using IPv6 at all, even during the lengthy (perhaps a decade or more still) transition period also increases the attack surface, but if you view IPv6 as inevitable then finding any security problems in it now seems like a good up-front investment.

My original purpose in mentioning this was to justify why I think scanning is mostly a transitory problem not worthy of creating specialised protocols and tools like the one in the article.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds