[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Port Knocking on openBSD?

To: misc@openbsd.org
Subject: Re: Port Knocking on openBSD?
From: "STeve Andre'" <andres@msu.edu>
Date: Sat, 7 Feb 2004 19:59:11 -0500
Content-Disposition: inline
References: <20040206175309.69713.qmail@web80303.mail.yahoo.com> <4025601D.B1F1F45B@holland-consulting.net> <0469E16E-59D0-11D8-A879-0003935163A4@sbcglobal.net>
User-Agent: KMail/1.5.4

On Saturday 07 February 2004 07:44 pm, Greg Thomas wrote:
> On Feb 7, 2004, at 2:01 PM, Nick Holland wrote:
> > Greg Thomas wrote:
> >> Scenario:  I need to be able to SSH into a box from anywhere in the
> >> world but not very often, a new exploit of SSH comes out.  What's the
> >> better solution than port knocking to protect yourself from the
> >> exploit?
> >
> > Same as the answer to "What's the protection if your port knocking
> > system has an exploit?"
>
> Aren't layers good?
>
> >> Just curious as it's interesting to think this stuff through and I'm
> >> not very knowledgable here.
> >
> > One idea: have one box you keep "safe" and up to date and able to fix
> > quickly.  New SSH exploit comes out, you fix that box first.  Your
> > other systems are filtered to only accept ssh traffic from that one
> > box (actually, for redundancy purposes, have TWO boxes on totally
> > different locations/service providers)
> >
> > Out at a random location?  ssh into your "hub" machine, then from
> > there to the remote system you need to maintain.
>
> Yes, that's a great idea.  But if you're a small shop you may have
> trouble updating that one "safe" box.
>
> Greg

Layers add complexity to the equation (whatever you are doing).
When you add complexity, you give rise to the "who owns the bug"
problem when sometihng goes wrong.

Yes, a small shop could have problems updating that one "safe"
box.  But its a single point of failure, isn't it.  And if you don't trust
SSH you shouldn't be using it.  There are no guarantees in software,
but the OpenSSH team has produced an excellent system.  It may
have problems from time to time, but thats the nature of the game,
isn't it.  What I'm concerned with is how problems are dealt with.
The OpenBSD 3.1 era SSH problem was dealt with as well as I think
it could have been, and THAT is what matters--how bad problems
are dealt with.

Adding layers to "protect" yourself generally doesn't work, because
you have have several layers to worry about and deal with when
things go wonky...

--STeve Andre'

References:
- Re: Port Knocking on openBSD?
  - From: Greg Thomas <getbsd@sbcglobal.net>
- Re: Port Knocking on openBSD?
  - From: Nick Holland <nick@holland-consulting.net>
- Re: Port Knocking on openBSD?
  - From: Greg Thomas <getbsd@sbcglobal.net>

Prev by Date: Re: Port Knocking on openBSD?
Next by Date: cryptographic filesystem options
Prev by thread: Re: Port Knocking on openBSD?
Next by thread: Re: Port Knocking on openBSD?
Index(es):
- Date
- Thread