Transcript Port Knocking

Port Knocking
Software Project Presentation
Paper Study – Part 1
Group member:
Liew Jiun Hau (20086034)
Lee Shirly (20095815)
Ong Ivy (20095040)
Agenda
Basic Networking
 Firewall
 Network Attacks
 Introduction to Port Knocking
 Mechanism of Port Knocking

Introduction

Computer network is built on top of
protocol stack
◦ OSI Model: 7 layers

Operating system perform networking by
using network socket as an interface to
communicate to other hosts

TCP/IP is the most common network
protocol stack in modern networking
◦ Each host on the network are associated with
an IP address

However, there are many application that
may be performing network
communication at the same time
◦ OS uses ports to identify the applications that
need to receive a certain network data
*Reference image taken from
http://commons.wikimedia.org/wiki/File:Osi-model-jb.png
TCP/IP – Internet Protocol Suite

A simpler model consist of 5 layers

Generally 2 types of packet
◦ TCP Segment
Application
Transport
◦ UDP Datagram

3rd type is a RAW Packet
◦ Used together with RAW Socket
Network
Data Link
◦ Limited support in Windows
◦ More capabilities possible in
UNIX/LINUX environment
Physical
Client and Server

Usually Internet services are built around in a
Client/Server model
◦ Server that wish to offer services have to “listen” on
a certain port using socket for requests
◦ Client send request (follow server’s protocol) and
initiate data exchange using a random port

This applies to Peer-2-Peer (P2P) hosts
◦ Hosts act as both client and server instead of one at
a time
◦ All P2P-hosts “listen” on a certain port

The ports that these servers are listening on are
referred as an “open” port
Port Status

Generally, we can classify the status of a port into 3 types
(using definition of Nmap)
◦ Open – Active and accessible
◦ Closed – Not active but it is still accessible
◦ Filtered – Unknown

Usually we can use a network port scanner to gain
knowledge of the status of a certain port
◦ Network Mapper (Nmap) is a famous and popular tool that is
freely available

Network scan can be legitimate or illegal
◦ To detect and troubleshoot problem of network setup
◦ To perform penetration check on firewall
◦ It can also be used by malicious hacker as a preparation for
attack
Firewall

An open port is susceptible to attacks
◦ It is always accessible remotely
◦ Anyone can connect to it (or try to)

A firewall can be used to protect the ports

Firewall is a network security measurement
◦ It can protect the host by applying control to the traffic that flow through the network
◦ Can be in the form of software or hardware
*Reference image taken from
http://www.linksysbycisco.com/static/us/Learning-Center/Network-Security/Protecting-Your-Individual-PC/Software-Firewall/
Firewall (cont)

Firewall can inspect network traffic
◦ Based on a certain rules, it will allow or drop
network packets into/from a host
◦ Rules can be applied to both inbound and
outbound network traffic

For server that listens to a port to provide a
service, there is still a problem
◦ That port must remain open
◦ This create a network security risk
 Although extra security policy could be apply to mitigate
the risk
Network Attacks


By using tools like Nmap, malicious
hacker can find some open ports
to penetrate the system
Nmap can show the version of the
server applications or services or
even fingerprint the OS on the
host
◦ Some version of the services are
vulnerable to certain attack, e.g. SSH
v1.2.31 CRC-32 (2001)
◦ These attacks may allow the hacker
to gain root (or admin) access,
compromise and create more holes
in the system

Other examples
◦ Buffer-overflow
◦ TCP SYN-Flood
◦ Ping-flood
Port Knocking


Port Knocking can be seen as a
security mechanism for concealing
open ports
If we were to explain in analogy, port
knocking will be comparable to the
secret door knock in the old days
◦ To get the door open, one have to
knock the correct sequence
◦ There might be another question
asking for secret password after
knocking correctly



Door = Port
Secret Knocks = Port Knock
Sequence
Password = Authentication
◦ e.g. From SSH
Port Knocking (cont)

Port Knocking works together
with Firewall
◦ Giving an extra layer of protection
◦ It is not a replacement for
authentication

Port Knocking does 3 things:
◦ Concealment – all packets are
dropped except those established
connection
◦ Service Protection – because all
packets are dropped by default, it
protects the services behind the ports
◦ User Authentication – only trusted
users who knows the secret knocks
can open a port and connects to it

Port Knocking
Firewall
Applications (i.e. SSH)
Operating System
2 types of Port Knocking
◦ Vanilla version
◦ Single Packet Authorization (will be explained in next week)
Hardware
Mechanism of Port Knocking
SSHd
Port Knock
Client
5724
22
SYN: 128
…
SYN: 5120
SSH Client
Server
SYN: 780
Port
Knock
Daemon
…
Client
Application
Application
Mechanism of Port Knocking (cont)
SSH
Port Knock
Client
22
Client
Server
…
SSH Req
SSH Client
Port
Knock
Daemon
…
5726
Application
Application
Port Knocking Explained

Port-knock messages will be dropped by the firewall
as usual
◦ But the daemon will take note of the knocks

Daemon will change firewall rule after receiving the
correct knocks
◦ Temporary allow packets from the client to connect the
actual port
◦ Once TCP connection is established, additional rules will
be added to firewall to allow the entire TCP session

Daemon can be implemented in 2 ways:
◦ Tracing the firewall logs
◦ Sniffing packets before it is dropped by the firewall
Next Up
We will present about SPA and its details
on our upcoming presentation
 After both topic are discussed, we will
perform a study on the issues and
problems in port knocking
 Questions?

Thank you