Security Basics mailing list archives
RE: Port-Knocking vulnerabilities?
From: "Bill Lavalette" <blavalet () homenet-security com>
Date: Tue, 1 Jan 2008 08:01:22 -0500
I think Brent was right in saying get a real Firewall/VPN installed. I believe the original thread on this was that there was a weird ssh mech that the user found and was wondering why. We have swayed way past the advice point on this thread IMHO. It appears that the company in question is using a practice that was acceptable in the mid 90's If this is a risk that the business owners are willing to accept then there is nothing this list is going to gain or achieve by getting emotional about it. The best advice we can give this person is to advise the business owners that they are in dire need of a security overhaul and move forward. Heck I remember when port sentry was the hot ticket. I must say thought I think Craig in another thread mentioned gains and losses, From a business perspective He is right and some of you may interpret his words differently, Acceptable Risk is another way we understand this. Have a Happy and Prosperous 2008 all Bill ====== HomeNet Security =========== Bill Lavalette Network Security Officer CCSA-CCSE Crisis Mitigator ID Theft Prevention Mentor WWW http://www.homenet-security.com ==================================== Defending The Home LAN -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Craig Wright Sent: Monday, December 31, 2007 4:46 PM To: Ansgar -59cobalt- Wiechers; security-basics () securityfocus com Cc: lbhlists () gmail com; dave () davekleiman com Subject: RE: Port-Knocking vulnerabilities? Lets look at the issues. You rely on obscurity in a manner that changes flags in IP and makes the packets stand out. Most IDS's will alert to this, many routers will. A TCPdump filter for unusual flags and IP ID's is common in many ISP's. So we have a security mechanism that is advertising itself but relies on secrecy. Paradox and inconsistency No. 1. The IP ID field is 16 bits. With a 4 packet knock we have a functional equivalent of a 3 character all symbol or 4 character alpha numeric password. I do not believe that this was ever considered secure. IP ID fingerprinting will make the flag stand out. Without the SPA encryption mechanisms it is a simple capture (or sniffing). Using SPA (not Port knocking) you can sniff packets and capture for analysis. The "encryption" can be silently cracked in seconds (it is functionally equivalent to 13 bit DES) in microseconds given any modern PC. Please explain how this is more than a script kiddie toy and a security boon? As Brent stated, why not deploy a REAL crypto solution. It is 1. Easier. 2. Supported and 3 More secure (i.e. 128 or 256 bit keys take a LONG time to break). Regards, Dr Craig Wright (GSE-Compliance) PS Happy New Year Craig Wright Manager of Information Systems Direct : +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. ________________________________________ From: listbounce () securityfocus com [listbounce () securityfocus com] On Behalf Of Ansgar -59cobalt- Wiechers [bugtraq () planetcobalt net] Sent: Tuesday, 1 January 2008 7:50 AM To: security-basics () securityfocus com Subject: Re: Port-Knocking vulnerabilities? On 2007-12-31 Robert Inder wrote:
On 29/12/2007, Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
wrote:
On 2007-12-28 Jay wrote:Portknocking is a security mechanism as it is a type of authentication. "Something you know" in this case the sequence of ports to knock before a unstarted service or daemon begins listening for connections.Since everything is transmitted in the clear port-knocking is as much of a security mechanism as cleartext passwords. Technically: maybe (depending on your definition). Realistically: no.I think your dismissal of port knocking (and, indeed, plain text passwords) is unrealistic. If you can intercept my interaction with some remote server, you can steal the relevant secrets (the password or the sequence of ports). But isn't that quite a substantial "if"?
The substantial "if" is the question if intercepting the transmission will allow an attacker to learn the secret without having to compromise either the sender or the receiver of the communication. If an attacker can do that, then the authentication mechanism is insecure and thus mere obscurity. Period.
How are you going to do it? Aren't you going to have to compromise some other machine, either where I am, or where the server is (or, I guess, where the relevant DNS records are), and then plant software to deliberately wait and watch until a relevant interaction takes place?
http://ettercap.sourceforge.net/ There are other attack vectors as well.
I'm not saying that's impossible. But it would take considerable knowledge, planning and effort. Why doesn't that make it a substantial defence against most kinds of casual attack?
Because "substantial" is the opposite of "casual". A measure that won't also stop a determined attacker is just obscurity, not security. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Attachment:
Bill Lavalette.vcf
Description:
Attachment:
smime.p7s
Description:
Current thread:
- RE: Port-Knocking vulnerabilities? Bill Lavalette (Jan 02)
- <Possible follow-ups>
- Re: Port-Knocking vulnerabilities? Michael Rash (Jan 07)
- RE: Port-Knocking vulnerabilities? Craig Wright (Jan 07)
- Re: Port-Knocking vulnerabilities? Michael Rash (Jan 07)
- RE: Port-Knocking vulnerabilities? whip (Jan 21)
- Re: Port-Knocking vulnerabilities? Michael Rash (Jan 22)
- RE: Port-Knocking vulnerabilities? Craig Wright (Jan 07)