[attachment=10527]
1. INTRODUCTION
1.1 ABSTRACT
Broadly, port knocking is a form of host-to-host communication in which information flows across closed ports. There are various variants of the port knocking method - information may be encoded into a port sequence or a packet-payload. In general, data are transmitted to closed ports and received by a monitoring daemon which intercepts the information without sending a receipt to the sender.
In one instance, port knocking refers to a method of communication between two computers (arbitrarily named here client and server) in which information is encoded, and possibly encrypted, into a sequence of port numbers. This sequence is termed the knock. Initially, the server presents no open ports to the public and is monitoring all connection attempts. The client initiates connection attempts to the server by sending SYN packets to the ports specified in the knock. This process of knocking is what gives port knocking its name. The server offers no response to the client during the knocking phase, as it "silently" processes the port sequence. When the server decodes a valid knock it triggers a server-side process.
It is sometimes desirable to allow access to open ports on a firewall only to authorized external users and present closed ports to all others. We examine ways to construct an authentication service to achieve this goal, and then examine one such method, “port knocking”, and its existing implementations, in detail. We improve upon these existing implementations by presenting a novel port knocking architecture that provides strong authentication while addressing the weaknesses of existing port knocking systems.
1.2 HISTORY
Thirty-five years after the birth of the Internet, it has become well established that the Internet is a hostile place. Any host connected to the Internet needs to be secure against unauthorized intrusion and other attacks. Unfortunately, the only secure system is one that is completely inaccessible, but, to be useful, many hosts need to make services accessible to other hosts. While some services need to be accessible to anyone from any location, others should only be accessed by a limited number of people, or from a limited set of locations.
The research on providing a most obvious way to limit access started in late 2004, it is to require users to authenticate themselves before granting them access. Traditionally, this is left up to the services themselves: before granting users access to anything important, they must first prove their identity, using any one of a number of methods. While this is effective, it is not a perfect solution.
1.3ASSOCIATED TECHNOLOGY
To simply implement port knocking on your system we need
• A packet-filtering firewall which is capable of logging connection attempts to closed ports, allows you to monitor the log file in real time (or can send its log file to a remote syslog server), and whose rules can be dynamically modified.
• The Perl prototype that accepts knocks and firewall log files of any format.
• A client and a host that are needed for the communication
2. TECHNOLOGY AND TRENDS
2.1 TECHNOLOGY
2.1.1 Ports
Those unaccustomed to host-based networking sometimes have trouble coming to terms with the notion of a ‘port’ on a computer. In the simplest of terms a port is a virtual door (represented by a 16-bit integer) which allows the computer to keep track of which pieces of data are destined for which application or service. Networking (transport layer) protocols such as TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) both use the concept of a port when transmitting packets to and from networked hosts. The port number (when used) is included in networking packets and is interpreted not only by sending and receiving hosts, but also by intermediate routers and firewalls. A firewall can be configured to allow or deny certain packets based on their destination port. When a service is listening for requests on a port, that port is said to be open, and clients can connect to the service. If no service is listening, then the port is considered closed. A client cannot connect to a closed port.
2.1.2 TCP, UDP and ICMP
TCP, UDP and ICMP are three of the most important networking protocols used regularly in modern networks. Transmission Control Protocol (TCP) is a stateful protocol that allows the two machines to create a connection between themselves and exchange information. A connection can be defined as two machines that have mutually ‘agreed’ to communicate. Such a connection is established by performing the ‘Three-Way Handshake’. This can be compared to making a telephone call: the initiator dials the number, the receiver picks up and says “Hello?”, at which point the initiator also says “Hello!”, and the conversation can begin until it is ended by either end. Most applications, such as Email, Web Browsing, and File Transfers, use TCP connections to transfer information.
The opposite of TCP is the User Datagram Protocol (UDP) which is stateless and so no formal connection is established between communicating hosts. This can be compared to a postal letter: the sender writes a letter and sends it off to its destination. The letter might arrive at its destination, or it might not, either way the sender will not receive any confirmation. A host sending UDP packets to another host will receive no acknowledgement as to whether or not the packets have been received, this makes UDP a lot faster than TCP, although far less reliable. UDP is suitable for applications which require a rapid rate of transmission, and where reliability is not of up-most importance, such as Audio/Video Chat.
The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet protocol suite, and is used by networked computers to send error messages, for example when a specified port cannot be reached. In the case that a service is not available or a host cannot be reached, there are a number of ‘control messages’ that end hosts or intermediate routers can use in order to inform other devices of these errors. One example is the ICMP PORT UNREACHABLE (ICMP Type 3, Code 3) which informs a requesting host that the requested port cannot be reached for some reason. Applications do not tend to use the ICMP protocol directly the ,but in certain cases ICMP can be used to transmit small amounts of information within the data field of the ICMP packet.
2.1.3 Three-Way Handshake
The Three-Way Handshake is the protocol that computers use in order to establish a TCP connection with each other.
1. The initiating machine will send a ‘Hello’ (formally called a SYN) packet to a specified host on a specified port. For example, if you browse to http://foo.com, your computer will first send the server a SYN packet on port 80 (the default web server port) to the server at foo.com. If port 80 is not open on the web server, then your client will not receive a reply (and the connection will fail).
2. However, if port 80 is open, then the web server is listening and will reply to the client with a SYN/ACK packet, acknowledging that it received the first (SYN) packet and requesting a confirmation to complete the connection.
3. Finally, the client will send back an ACK packet, signaling that it confirms the connection.
At this point, both computers keep track that they are connected to each other. It is also important to note that some machines will only log a connection1 once the full Three-Way Handshake has been performed.
The connection is ended by one side or the other, by sending a FIN packet to the other end, who then replies with a FIN&ACK packet, and finally the initiating side sends back a final ACK packet.