1 / 16

Port Knocking

Port Knocking. Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034 ) Lee Shirly (20095815) Ong Ivy (20095040 ). Agenda. Basic Networking Firewall Network Attacks Introduction to Port Knocking Mechanism of Port Knocking. Introduction.

awena
Download Presentation

Port Knocking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Port Knocking Software Project Presentation Paper Study – Part 1 Group member: LiewJiunHau (20086034) Lee Shirly (20095815) OngIvy (20095040)

  2. Agenda • Basic Networking • Firewall • Network Attacks • Introduction to Port Knocking • Mechanism of Port Knocking

  3. Introduction • Computer network is built on top of protocol stack • OSI Model: 7 layers • Operating system perform networking by using network socket as an interface to communicate to other hosts • TCP/IP is the most common network protocol stack in modern networking • Each host on the network are associated with an IP address • However, there are many application that may be performing network communication at the same time • OS uses ports to identify the applications that need to receive a certain network data *Reference image taken from http://commons.wikimedia.org/wiki/File:Osi-model-jb.png

  4. TCP/IP – Internet Protocol Suite • A simpler model consist of 5 layers • Generally 2 types of packet • TCP Segment • UDP Datagram • 3rd type is a RAW Packet • Used together with RAW Socket • Limited support in Windows • More capabilities possible in UNIX/LINUX environment Application Transport Network Data Link Physical

  5. Client and Server • Usually Internet services are built around in a Client/Server model • Server that wish to offer services have to “listen” on a certain port using socket for requests • Client send request (follow server’s protocol) and initiate data exchange using a random port • This applies to Peer-2-Peer (P2P) hosts • Hosts act as both client and server instead of one at a time • All P2P-hosts “listen” on a certain port • The ports that these servers are listening on are referred as an “open” port

  6. Port Status • Generally, we can classify the status of a port into 3 types (using definition of Nmap) • Open – Active and accessible • Closed – Not active but it is still accessible • Filtered – Unknown • Usually we can use a network port scanner to gain knowledge of the status of a certain port • Network Mapper (Nmap) is a famous and popular tool that is freely available • Network scan can be legitimate or illegal • To detect and troubleshoot problem of network setup • To perform penetration check on firewall • It can also be used by malicious hacker as a preparation for attack

  7. Firewall • An open port is susceptible to attacks • It is always accessible remotely • Anyone can connect to it (or try to) • A firewall can be used to protect the ports • Firewall is a network security measurement • It can protect the host by applying control to the traffic that flow through the network • Can be in the form of software or hardware *Reference image taken from http://www.linksysbycisco.com/static/us/Learning-Center/Network-Security/Protecting-Your-Individual-PC/Software-Firewall/

  8. Firewall (cont) • Firewall can inspect network traffic • Based on a certain rules, it will allow or drop network packets into/from a host • Rules can be applied to both inbound and outbound network traffic • For server that listens to a port to provide a service, there is still a problem • That port must remain open • This create a network security risk • Although extra security policy could be apply to mitigate the risk

  9. Network Attacks • By using tools like Nmap, malicious hacker can find some open ports to penetrate the system • Nmap can show the version of the server applications or services or even fingerprint the OS on the host • Some version of the services are vulnerable to certain attack, e.g. SSH v1.2.31 CRC-32 (2001) • These attacks may allow the hacker to gain root (or admin) access, compromise and create more holes in the system • Other examples • Buffer-overflow • TCP SYN-Flood • Ping-flood

  10. Port Knocking • Port Knocking can be seen as a security mechanism for concealing open ports • If we were to explain in analogy, port knocking will be comparable to the secret door knock in the old days • To get the door open, one have to knock the correct sequence • There might be another question asking for secret password after knocking correctly • Door = Port • Secret Knocks = Port Knock Sequence • Password = Authentication • e.g. From SSH

  11. Port Knocking (cont) • Port Knocking works together with Firewall • Giving an extra layer of protection • It is not a replacement for authentication • Port Knocking does 3 things: • Concealment – all packets are dropped except those established connection • Service Protection – because all packets are dropped by default, it protects the services behind the ports • User Authentication – only trusted users who knows the secret knocks can open a port and connects to it • 2 types of Port Knocking • Vanilla version • Single Packet Authorization (will be explained in next week)

  12. Mechanism of Port Knocking Client Server Port Knock Client SSHd Port Knock Daemon 5724 22 … … SSH Client SYN: 5120 SYN: 128 SYN: 780 Application Application

  13. Mechanism of Port Knocking (cont) Client Server Port Knock Client SSH Port Knock Daemon 22 5726 … … SSH Client SSH Req Application Application

  14. Port Knocking Explained • Port-knock messages will be dropped by the firewall as usual • But the daemon will take note of the knocks • Daemon will change firewall rule after receiving the correct knocks • Temporary allow packets from the client to connect the actual port • Once TCP connection is established, additional rules will be added to firewall to allow the entire TCP session • Daemon can be implemented in 2 ways: • Tracing the firewall logs • Sniffing packets before it is dropped by the firewall

  15. Next Up • We will present about SPA and its details on our upcoming presentation • After both topic are discussed, we will perform a study on the issues and problems in port knocking • Questions?

  16. Thank you

More Related