23 July, 2008
This past weekend at the
Last HOPE conference
in NYC I gave a
talk entitled
"
Port Knocking and Single Packet Authorization: Practical Deployments"
(
slides).
The talk was fairly well attended - I estimate about 100 people or so - and there
were several good questions from the audience. Some of the questions deserved a
more thorough answer than I was able to provide during the talk, so this blog post
fleshes out some of my original answers. If you attended the talk and would like
to see more discussion of one of these questions, or if you just have a question
about fwknop in general, please email me.
Q: Does fwknop run on the iPhone?
A: Given that the iPhone runs Mac OS X as well as perl, it should be feasible
to run fwknop on the iPhone at least as a client. If ipfw is also available for
the iPhone and AT&T does not filter inbound connections to servers that are
running on an iPhone (I don't personally have one so I have not verified this), then
it should also be possible to run the fwknopd daemon to sniff SPA packets.
Q: Why not build a covert channel over bits in the TCP header? Wouldn't
this provide a way to implement a more simplistic userspace daemon for parsing inbound
traffic?
A: There are certainly a decent number of bits available within the TCP
header (and IP header too) that could be used to encode information within a covert
channel, but my concern would be that not enough bits would be available to
accomplish everything necessary to provide good security. Making such packets
non-replayable while offering an encrypted payload at the same time I think would
be difficult. That said however, one could envision a hybrid approach where bits
are used first within packet headers to "get to the next stage", and this would
allow the first stage to be implemented by a simplistic piece of code (such as
parsing a firewall log). (This was suggested to me by
Jacob Appelbaum at the end of the
talk.) Still, there would be a permissions problem on the
client side because tweaking bits at this level would mean that one cannot just
open a socket and send data - a raw socket would be required.
Q: Have you audited the perl parser code or associated perl modules for
security vulnerabilities?
A: Yow, this one was a zinger, and gets to the heart of the code complexity
problem. I certainly cannot claim that all of the code used by fwknop is
completely secure (no one ever can really for any piece of code), but at least
attacking the fwknopd daemon is not as easy as just scanning for some vulnerable
piece of software that advertises itself via a TCP socket. I'm working on re-writing
fwknop in C though to make it much more lightweight and less complex, and this
should help to address concerns about the complexity of perl modules while also
allowing fwknopd to run on embedded distributions such as
OpenWRT.
Jacob Appelbaum attended the talk, and he
asked the later two questions above (which were excellent and thought provoking).
Later on Sunday, I spoke briefly with Jacob and during that conversation he
suggested sending SPA packets over DNS queries in order to once again return to a
log parsing model for SPA instead of requiring a sniffer, and using DNS would also
imply compatibility with Tor because it already handles DNS queries. I think
this is a great idea, and I have added it to the fwknop
TODO
list - it will definitely be implemented as an option for fwknop communications.
On another note, Jacob gave a panel discussion on Saturday of the recent Debian
OpenSSL vulnerability along with
Dino Dai Zovi
and
Karsten Nohl. Hopefully the video of this
talk will be posted online - it was quite excellent and provides perspective on
just how damaging a seemingly innocuous and helpful "fix" can have far-reaching
implications for computer (in)security. In this case, a Debian developer noticed
that valgrind detected the usage of uninitialized memory by the OpenSSL library,
and interpreted this as a programming bug that needed to be fixed. It turns out
that OpenSSL actually uses uninitialized memory as a way to gather additional
entropy during the key generation process, and removing this code had the effect of
reducing the security of all keys generated by any application on Debian that
used OpenSSL, which is a
huge list of applications. We are
going to feel the effects of this bug for a long time to come even if every
vulnerable system has already been patched because there are a lot of weak keys
still in use.
Scott Beatty recently prepared a
talk about fwknop
at the 2008 BARcamp gathering in Chicago. It is nice
to see fwknop getting some additional publicity, and Scott emphasizes Single Packet Authorization
(SPA) mode communications over the legacy port knocking mode (which often seem to be confused as the
same thing). Scott's talk is entitled Protect Your SSH Port (and Others) With fwknop, and
has a lot of excellent supporting graphics - including screenshots of both the Nmap cross-platform
frontend Zenmap and the
fwknop Windows UI
in action - to help illustrate authentication concepts and fwknop usage.
Port Knocking and
its big brother, Single Packet Authorization (SPA), can provide a robust additional layer
of protection for services such as SSH, but there are many competing Port Knocking and SPA
implementations. This talk will present practical usages of fwknop in Port Knocking and SPA
modes, and discuss what works and what doesn't from a protocol perspective. Integration
points for both iptables and ipfw firewalls on Linux and FreeBSD systems will be highlighted,
and client-side support on Windows will be demonstrated. Finally, advanced functionality
such as inbound NAT support for authenticated connections, sending SPA packets over the
Tor anonymity network, and covert channel usages will be discussed. With SPA deployed,
anyone scanning for a service with Nmap cannot even tell that it is listening; let alone
target it with an exploit (zero-day or not).
