cipherdyne.org

04 March, 2007

For the April security issue of the Linux Journal, I have written the first of a two-part article on the concept of Single Packet Authorization (SPA). The first installment lays a theoretical foundation for why the security architecture and capabilities of SPA are superior to Port Knocking. The second installment (to be published in May) will provide a hands-on examination of how to use fwknop to harden an OpenSSH server behind a default-drop iptables policy. Here is an excerpt from the article:

"...When an attacker is on the prowl in an attempt to exploit a vulnerability in server software (as opposed to client software), the first step is reconnaissance; the attacker needs to locate a target. This process has been brilliantly automated by Nmap, so it is easy to construct a list of target systems that may be ripe for compromise. If the attacker has found a zero-day vulnerability in server software that you happen to be running, you don't want to appear in this list of targets! Both port knocking and Single Packet Authorization use a packet filter configured in a default-drop stance and simultaneously provide service only to those IP addresses that can prove their identity via a passive mechanism. No TCP/IP stack access is required to authenticate remote IP addresses via this passive means. Nmap cannot even tell that a server is running when protected in this way, and it does not matter even if the attacker has a zero-day exploit..."