port knocking
DESCRIPTION
Port Knocking. Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034 ) Lee Shirly (20095815) Ong Ivy (20095040 ). Agenda. Basic Networking Firewall Network Attacks Introduction to Port Knocking Mechanism of Port Knocking. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
Port KnockingSoftware Project PresentationPaper Study – Part 1
Group member: Liew Jiun Hau (20086034)Lee Shirly (20095815)Ong Ivy (20095040)
AgendaBasic NetworkingFirewallNetwork AttacksIntroduction to Port KnockingMechanism of Port Knocking
Introduction Computer network is built on top of
protocol stack◦ OSI Model: 7 layers
Operating system perform networking by using network socket as an interface to communicate to other hosts
TCP/IP is the most common network protocol stack in modern networking◦ Each host on the network are associated
with an IP address However, there are many application
that may be performing network communication at the same time◦ OS uses ports to identify the
applications that need to receive a certain network data
*Reference image taken from http://commons.wikimedia.org/wiki/File:Osi-model-jb.png
TCP/IP – Internet Protocol Suite A simpler model consist of 5
layers Generally 2 types of packet
◦ TCP Segment◦ UDP Datagram
3rd type is a RAW Packet◦ Used together with RAW Socket◦ Limited support in Windows◦ More capabilities possible in
UNIX/LINUX environment
Network
Transport
Data Link
Application
Physical
Client and ServerUsually Internet services are built around in a
Client/Server model◦ Server that wish to offer services have to “listen”
on a certain port using socket for requests◦ Client send request (follow server’s protocol) and
initiate data exchange using a random portThis applies to Peer-2-Peer (P2P) hosts
◦ Hosts act as both client and server instead of one at a time
◦ All P2P-hosts “listen” on a certain portThe ports that these servers are listening on
are referred as an “open” port
Port Status Generally, we can classify the status of a port into 3
types (using definition of Nmap)◦ Open – Active and accessible◦ Closed – Not active but it is still accessible◦ Filtered – Unknown
Usually we can use a network port scanner to gain knowledge of the status of a certain port◦ Network Mapper (Nmap) is a famous and popular tool that
is freely available Network scan can be legitimate or illegal
◦ To detect and troubleshoot problem of network setup◦ To perform penetration check on firewall◦ It can also be used by malicious hacker as a preparation for
attack
Firewall An open port is susceptible to attacks
◦ It is always accessible remotely◦ Anyone can connect to it (or try to)
A firewall can be used to protect the ports Firewall is a network security measurement
◦ It can protect the host by applying control to the traffic that flow through the network
◦ Can be in the form of software or hardware
*Reference image taken fromhttp://www.linksysbycisco.com/static/us/Learning-Center/Network-Security/Protecting-Your-Individual-PC/Software-Firewall/
Firewall (cont)Firewall can inspect network traffic
◦Based on a certain rules, it will allow or drop network packets into/from a host
◦Rules can be applied to both inbound and outbound network traffic
For server that listens to a port to provide a service, there is still a problem◦That port must remain open◦This create a network security risk
Although extra security policy could be apply to mitigate the risk
Network Attacks By using tools like Nmap, malicious
hacker can find some open ports to penetrate the system
Nmap can show the version of the server applications or services or even fingerprint the OS on the host◦ Some version of the services are
vulnerable to certain attack, e.g. SSH v1.2.31 CRC-32 (2001)
◦ These attacks may allow the hacker to gain root (or admin) access, compromise and create more holes in the system
Other examples◦ Buffer-overflow◦ TCP SYN-Flood◦ Ping-flood
Port Knocking Port Knocking can be seen as a
security mechanism for concealing open ports
If we were to explain in analogy, port knocking will be comparable to the secret door knock in the old days◦ To get the door open, one have to
knock the correct sequence◦ There might be another question
asking for secret password after knocking correctly
Door = Port Secret Knocks = Port Knock
Sequence Password = Authentication
◦ e.g. From SSH
Port Knocking (cont) Port Knocking works together with
Firewall◦ Giving an extra layer of protection◦ It is not a replacement for
authentication Port Knocking does 3 things:
◦ Concealment – all packets are dropped except those established connection
◦ Service Protection – because all packets are dropped by default, it protects the services behind the ports
◦ User Authentication – only trusted users who knows the secret knocks can open a port and connects to it
Port Knocking
Hardware
2 types of Port Knocking◦ Vanilla version◦ Single Packet Authorization (will be explained in next week)
ServerPort
Knock Daemon
Mechanism of Port Knocking
SSHd
Application
Application
22
…
Client
Port Knock Client
SSH Client
5724
…
SYN: 5120
SYN: 128
SYN: 780
Mechanism of Port Knocking (cont)
ServerPort
Knock Daemon
SSH
Application
Application
22
…
Client
Port Knock Client
SSH Client
…
5726
SSH Req
Port Knocking ExplainedPort-knock messages will be dropped by the
firewall as usual◦ But the daemon will take note of the knocks
Daemon will change firewall rule after receiving the correct knocks◦ Temporary allow packets from the client to connect
the actual port◦ Once TCP connection is established, additional rules
will be added to firewall to allow the entire TCP session
Daemon can be implemented in 2 ways:◦ Tracing the firewall logs◦ Sniffing packets before it is dropped by the firewall
Next UpWe will present about SPA and its
details on our upcoming presentation
After both topic are discussed, we will perform a study on the issues and problems in port knocking
Questions?
Thank you