[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Port Knocking on openBSD?
Greg Thomas wrote:
> On Feb 7, 2004, at 2:01 PM, Nick Holland wrote:
> > Same as the answer to "What's the protection if your port knocking
> > system has an exploit?"
> Aren't layers good?
If they truly are layers between abuser and target, yes. If breaking
the first layer means you now have to work on the second layer, yes.
However, if the first layer has a root exploit: no.
If you look at privilege separation in OpenSSH, the defense there is
in layers -- privilege separation adds a layer of program protection
to the standard security systems of the SSH protocol. Find a hole in
the implementation, the privsep keeps you stuck, able to do almost
nothing. "Port knocking" at first looks like a layer of protection
before you get to SSH, but that's only when things work right. When
things work wrong, if the exploit is in the "port knocking" itself,
game over, they are in on just one layer -- an entryway into your
system that didn't even exist previously. Note that the "port
knocking" usually adjusts filter rules, that's typically a root-level
Note the irony here: the GOOD GUYS go through layers, and because it
is more difficult for them, it sounds "safer". If the bad guys can
bust in at the first layer, they have reached their goal.
As Steve and Henning pointed out: this adds complexity. If people
spent time auditing code rather than adding code, I think the security
situation would improve much more than the added complexity improves
> >> Just curious as it's interesting to think this stuff through and I'm
> >> not very knowledgable here.
> > One idea: have one box you keep "safe" and up to date and able to fix
> > quickly. New SSH exploit comes out, you fix that box first. Your
> > other systems are filtered to only accept ssh traffic from that one
> > box (actually, for redundancy purposes, have TWO boxes on totally
> > different locations/service providers)
> > Out at a random location? ssh into your "hub" machine, then from
> > there to the remote system you need to maintain.
> Yes, that's a great idea. But if you're a small shop you may have
> trouble updating that one "safe" box.
Depends on what kind of shop. I've had no problem convincing clients
to host a low-traffic machine of mine at their site. There are
benefits for them -- I'm often tracking down a network problem for
them before they even realize they are down ("Could you reset your
router?" "Why?" "You're down" "We are?? Oh, we are!"). Redundancy
here is key -- you don't want to have just one remote site, in case a
management change has you (and your computer) out on the curb one
morning... If you aren't supporting multiple sites, "partnerships"
between companies, "You host mine, I'll host yours" can work, too.