|
Security Basics
Re: Port-Knocking vulnerabilities? Dec 28 2007 07:07PM Jay (jay tomas infosecguru com) (1 replies) Re: Port-Knocking vulnerabilities? Dec 29 2007 01:28PM Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies) |
|
|
Privacy Statement |
> On 2007-12-28 Jay wrote:
> > Portknocking is a security mechanism as it is a type of
> > authentication. "Something you know" in this case the sequence of
> > ports to knock before a unstarted service or daemon begins listening
> > for connections.
>
> Since everything is transmitted in the clear port-knocking is as much of
> a security mechanism as cleartext passwords. Technically: maybe
> (depending on your definition). Realistically: no.
I think your dismissal of port knocking (and, indeed, plain text
passwords) is unrealistic.
If you can intercept my interaction with some remote server, you can
steal the relevant secrets (the password or the sequence of ports).
But isn't that quite a substantial "if"?
How are you going to do it? Aren't you going to have to compromise
some other machine, either where I am, or where the server is (or, I
guess, where the relevant DNS records are), and then plant software to
deliberately wait and watch until a relevant interaction takes place?
I'm not saying that's impossible. But it would take considerable
knowledge, planning and effort.
Why doesn't that make it a substantial defence against most kinds of
casual attack?
Robert.
--
Robert Inder Interactive Information Ltd, Registered
in Scotland
07808 492 213 3, Lauriston Gardens, Company no. SC 150689
0131 229 1052 Edinburgh EH3 9HH
SCOTLAND UK Interactions speak
louder than words
[ reply ]