Port Knocking - PowerPoint Presentation

Slide1

Port Knocking

Software Project Presentation

Paper

Study – Part 1

Group member:

Liew

Jiun

Hau

(20086034

)

Lee

Shirly

(20095815)

Ong

Ivy (20095040

)Slide2

Agenda

Basic Networking

Firewall

Network Attacks

Introduction to Port Knocking

Mechanism of Port KnockingSlide3

Introduction

Computer network is built on top of protocol stack

OSI Model: 7 layers

Operating system perform networking by using network socket as an interface to communicate to other hosts

TCP/IP is the most common network protocol stack in modern networking

Each host on the network are associated with an IP addressHowever, there are many application that may be performing network communication at the same timeOS uses ports to identify the applications that need to receive a certain network data

*Reference image taken from http://commons.wikimedia.org/wiki/File:Osi-model-jb.pngSlide4

TCP/IP – Internet Protocol Suite

A simpler model consist of 5 layers

Generally 2 types of packet

TCP Segment

UDP Datagram

3rd type is a RAW PacketUsed together with RAW SocketLimited support in Windows

More capabilities possible in UNIX/LINUX environment

Network

Transport

Data Link

Application

PhysicalSlide5

Client and Server

Usually Internet services are built around in a Client/Server model

Server that wish to offer services have to “listen” on a certain port using socket for requests

Client send request (follow server’s protocol) and initiate data exchange using a random port

This applies to Peer-2-Peer (P2P) hosts

Hosts act as both client and server instead of one at a timeAll P2P-hosts “listen” on a certain portThe ports that these servers are listening on are referred as an “open” portSlide6

Port Status

Generally, we can classify the status of a port into 3 types (using definition of

Nmap

)

Open – Active and accessible

Closed – Not active but it is still accessibleFiltered – UnknownUsually we can use a network port scanner to gain knowledge of the status of a certain portNetwork Mapper (Nmap) is a famous and popular tool that is freely available

Network scan can be legitimate or illegalTo detect and troubleshoot problem of network setup

To perform penetration check on firewall

It can also be used by malicious hacker as a preparation for attackSlide7

Firewall

An open port is susceptible to attacks

It is always accessible remotely

Anyone can connect to it (or try to)

A firewall can be used to protect the ports

Firewall is a network security measurementIt can protect the host by applying control to the traffic that flow through the networkCan be in the form of software or hardware

*Reference image taken from

http://www.linksysbycisco.com/static/us/Learning-Center/Network-Security/Protecting-Your-Individual-PC/Software-Firewall/Slide8

Firewall (cont)

Firewall can inspect network traffic

Based on a certain rules, it will allow or drop network packets into/from a host

Rules can be applied to both inbound and outbound network traffic

For server that listens to a port to provide a service, there is still a problem

That port must remain openThis create a network security riskAlthough extra security policy could be apply to mitigate the riskSlide9

Network Attacks

By using tools like

Nmap

, malicious hacker can find some open ports to penetrate the system

Nmap

can show the version of the server applications or services or even fingerprint the OS on the hostSome version of the services are vulnerable to certain attack, e.g. SSH v1.2.31 CRC-32 (2001)These attacks may allow the hacker to gain root (or admin) access, compromise and create more holes in the systemOther examplesBuffer-overflowTCP SYN-FloodPing-floodSlide10

Port Knocking

Port Knocking can be seen as a security mechanism for concealing open ports

If we were to explain in analogy, port knocking will be comparable to the secret door knock in the old days

To get the door open, one have to knock the correct sequence

There might be another question asking for secret password after knocking correctly

Door = PortSecret Knocks = Port Knock SequencePassword = Authenticatione.g. From SSHSlide11

Port Knocking (cont)

Port Knocking works together with Firewall

Giving an extra layer of protection

It is not a replacement for authentication

Port Knocking does 3 things:

Concealment – all packets are dropped except those established connectionService Protection – because all packets are dropped by default, it protects the services behind the portsUser Authentication – only trusted users who knows the secret knocks can open a port and connects to it

2 types of Port Knocking

Vanilla version

Single Packet Authorization (will be explained in next week)Slide12

Server

Port Knock Daemon

Mechanism of Port Knocking

SSHd

Application

Application

22

…

Client

Port Knock Client

SSH Client

5724

…

SYN: 5120

SYN: 128

SYN: 780Slide13

Mechanism of Port Knocking (cont)

Server

Port Knock Daemon

SSH

Application

Application

22

…

Client

Port Knock Client

SSH Client

…

5726

SSH

ReqSlide14

Port Knocking Explained

Port-knock messages will be dropped by the firewall as usual

But the daemon will take note of the knocks

Daemon will change firewall rule after receiving the correct knocks

Temporary allow packets from the client to connect the actual port

Once TCP connection is established, additional rules will be added to firewall to allow the entire TCP sessionDaemon can be implemented in 2 ways:Tracing the firewall logsSniffing packets before it is dropped by the firewallSlide15

Next Up

We will present about SPA and its details on our upcoming presentation

After both topic are discussed, we will perform a study on the issues and problems in port knocking

Questions?Slide16

Thank you