Ubuntu Howto on Single Packet Authorization
18 November, 2007
Gilbert Mendoza of http://www.savvyadmin.com
has written an excellent howto guide
for making use of Single Packet Authorization with fwknop
on the Ubuntu Linux distribution. While fwknop is not
yet released as a Debian package (although this should be coming soon), Gilbert's guide
provides instructions for bootstrapping fwknop into a functional state on Ubuntu. He
covers the installation of fwknop, configuring fwknopd to authenticate SPA clients
with GnuPG (including construction of a specific set of GnuPG keys for this purpose), and
setting up a default-drop iptables policy. Here is a portion of the introduction:
Single Packet Authorization (SPA) using
"fwknop" is probably one of the coolest recent innovations in server and network access
control technology. Just what is SPA, you ask? SPA is a method of limiting access to
server and network resources by cryptographically authenticating users before any type of
TCP/IP stack access is allowed.
In it's simplest form, your Linux server can have an inbound firewall rule that by default drops all access to any of it's listening services. Nmap scans will completely fail to detect any open ports, and zero-day attacks will not have any effect on vulnerable services since the firewall is blocking access to the applications.
Gilbert made a posting to his blog a few months ago about SPA as well.
