250 likes | 521 Views
Port Knocking. Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034 ) Lee Shirly (20095815) Ong Ivy (20095040 ). Agenda. Basic Networking Firewall Network Attacks Introduction to Port Knocking Mechanism of Port Knocking. Introduction.
E N D
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: LiewJiunHau (20086034) Lee Shirly (20095815) OngIvy (20095040)
Agenda • Basic Networking • Firewall • Network Attacks • Introduction to Port Knocking • Mechanism of Port Knocking
Introduction • Computer network is built on top of protocol stack • OSI Model: 7 layers • Operating system perform networking by using network socket as an interface to communicate to other hosts • TCP/IP is the most common network protocol stack in modern networking • Each host on the network are associated with an IP address • However, there are many application that may be performing network communication at the same time • OS uses ports to identify the applications that need to receive a certain network data *Reference image taken from http://commons.wikimedia.org/wiki/File:Osi-model-jb.png
TCP/IP – Internet Protocol Suite • A simpler model consist of 5 layers • Generally 2 types of packet • TCP Segment • UDP Datagram • 3rd type is a RAW Packet • Used together with RAW Socket • Limited support in Windows • More capabilities possible in UNIX/LINUX environment Application Transport Network Data Link Physical
Client and Server • Usually Internet services are built around in a Client/Server model • Server that wish to offer services have to “listen” on a certain port using socket for requests • Client send request (follow server’s protocol) and initiate data exchange using a random port • This applies to Peer-2-Peer (P2P) hosts • Hosts act as both client and server instead of one at a time • All P2P-hosts “listen” on a certain port • The ports that these servers are listening on are referred as an “open” port
Port Status • Generally, we can classify the status of a port into 3 types (using definition of Nmap) • Open – Active and accessible • Closed – Not active but it is still accessible • Filtered – Unknown • Usually we can use a network port scanner to gain knowledge of the status of a certain port • Network Mapper (Nmap) is a famous and popular tool that is freely available • Network scan can be legitimate or illegal • To detect and troubleshoot problem of network setup • To perform penetration check on firewall • It can also be used by malicious hacker as a preparation for attack
Firewall • An open port is susceptible to attacks • It is always accessible remotely • Anyone can connect to it (or try to) • A firewall can be used to protect the ports • Firewall is a network security measurement • It can protect the host by applying control to the traffic that flow through the network • Can be in the form of software or hardware *Reference image taken from http://www.linksysbycisco.com/static/us/Learning-Center/Network-Security/Protecting-Your-Individual-PC/Software-Firewall/
Firewall (cont) • Firewall can inspect network traffic • Based on a certain rules, it will allow or drop network packets into/from a host • Rules can be applied to both inbound and outbound network traffic • For server that listens to a port to provide a service, there is still a problem • That port must remain open • This create a network security risk • Although extra security policy could be apply to mitigate the risk
Network Attacks • By using tools like Nmap, malicious hacker can find some open ports to penetrate the system • Nmap can show the version of the server applications or services or even fingerprint the OS on the host • Some version of the services are vulnerable to certain attack, e.g. SSH v1.2.31 CRC-32 (2001) • These attacks may allow the hacker to gain root (or admin) access, compromise and create more holes in the system • Other examples • Buffer-overflow • TCP SYN-Flood • Ping-flood
Port Knocking • Port Knocking can be seen as a security mechanism for concealing open ports • If we were to explain in analogy, port knocking will be comparable to the secret door knock in the old days • To get the door open, one have to knock the correct sequence • There might be another question asking for secret password after knocking correctly • Door = Port • Secret Knocks = Port Knock Sequence • Password = Authentication • e.g. From SSH
Port Knocking (cont) • Port Knocking works together with Firewall • Giving an extra layer of protection • It is not a replacement for authentication • Port Knocking does 3 things: • Concealment – all packets are dropped except those established connection • Service Protection – because all packets are dropped by default, it protects the services behind the ports • User Authentication – only trusted users who knows the secret knocks can open a port and connects to it • 2 types of Port Knocking • Vanilla version • Single Packet Authorization (will be explained in next week)
Mechanism of Port Knocking Client Server Port Knock Client SSHd Port Knock Daemon 5724 22 … … SSH Client SYN: 5120 SYN: 128 SYN: 780 Application Application
Mechanism of Port Knocking (cont) Client Server Port Knock Client SSH Port Knock Daemon 22 5726 … … SSH Client SSH Req Application Application
Port Knocking Explained • Port-knock messages will be dropped by the firewall as usual • But the daemon will take note of the knocks • Daemon will change firewall rule after receiving the correct knocks • Temporary allow packets from the client to connect the actual port • Once TCP connection is established, additional rules will be added to firewall to allow the entire TCP session • Daemon can be implemented in 2 ways: • Tracing the firewall logs • Sniffing packets before it is dropped by the firewall
Next Up • We will present about SPA and its details on our upcoming presentation • After both topic are discussed, we will perform a study on the issues and problems in port knocking • Questions?