In our society, it often takes tragedy, to bring about change; unfortunate, but true. I am no exception. Over the weekend, I may have accidentally left a few ports open. With 65,535 of them, it's hard to remember if they're all closed and stealthed, or if 1241 is still open from my Nessus session, if my Slingbox is still slinging shows over 5001, or if one of those ports in the 27000 range was left open by my alter-ego, half-life addict.
Lucky for me, someone kindly let me know that some ports were left open, through the generous installation of free software (trojans, key loggers, and other malware goodies) on my server and several PCs. After some digital house cleaning, I decided to sprinkle a new layer of security on my network....port knocking.
This security approach was never fully embraced by the network community. I think this was partially due to the misunderstanding of its true purpose. It was never meant to act as a standalone method of security; just a thin lining in your multi layered approach.
Port knocking (PK) is a firewall based method of user authentication. Using a generic client-server model, it is platform independent. A client is able to externally open a port by generating a specific sequence of connection attempts on closed ports. This is analogous to the antiquated practice of using predefined rhythmic knocking on a door, as a sort of pass code, to gain entrance.
Let's forget about the server daemon, client software, dynamic firewall rules, sequencing mechanisms and encryption use, and just look at the basic process. Imagine a server with no open ports, and no vulnerable or critical services running. A client PC wants to create a remote connection to the server, but the service port is closed and the service isn't even running. The client PC sends connection attempts to a series of ports, in a particular order, with specific time intervals. If the sequence of "knocks" correctly matches a predetermined authorization set, then the service port is opened and the service is started.
This mechanism provides several benefits. It is a transparent means of controlled access, by restricting service usage to clients producing the correct "knock" sequence. Common port scanning won't reveal open ports, with corresponding services to attack. Furthermore, to prevent hackers from obtaining the knock sequence, through packet capture and analysis, it can be frequently changed with pseudo random generators and employing encryption.