Port Knocking 102 Pros, Cons and Alternatives
November 30, 2006

By Kurt Seifried (kurt@seifried.org)

There are a number of pros, cons and alternatives to port knocking.

Cons

The primary downside to port knocking is that in the process of creating an additional layer of security it also creates another layer of administrative control. As well since port knocking is not widely supporting most software packages are ad-hoc affairs with minimal support and documentation. As well most sites with documented firewall configurations and management procedures will require additional management processes to handle the port knocking configuration and maintenance. Thus it is likely that a port knocking configuration may lead to insecurities by allowing to much access, or not being documented properly. If port knocking is used to enable access to a previously firewalled service that has not been securely configured (because it is not publicly accessible) a security breach may be possible.

Pros

Although the argument against security through obscurity is often used with port knocking if port knocking is used in an otherwise secured environment it can be a valuable additional layer of security.

For example if every host that must be accessible via SSH to the Internet is placed behind a port knocking capable firewall the amount of scanning traffic and SSH brute force log in attempts should drop to virtually 0.

Port knocking also does not introduce network latency issues and encryption overhead common with VPN solutions. The amount of additional traffic required by port knocking can also be minimal, resulting in relatively little network overhead being used to support this.

Alternatives

If you desire the benefits of port knocking but don’t have the infrastructure to deal with it (e.g. firewalls emplaced at network access points) there are some alternatives. IPSec and other traditional VPN technology can be used to expose services to trusted hosts and users only. The benefit of this is that many sites will already have VPN infrastructure in place and policies to deal with it. Another possibility would be to install a secured host with SSH and allow access to this host via SSH and then allow port redirection by clients. Clients would need a properly configured SSH client and the SSH server would require enough CPU power and bandwidth to handle all the connections. It should be noted that SSH can also perform as a VPN client and server now with the latest versions.

Share and Enjoy:
  • Slashdot
  • Digg
  • del.icio.us
  • Reddit
  • digg
  • Technorati
  • StumbleUpon
By Kurt.Seifried • Articles, Technical • •

Leave a Reply


 Sidebar
  • Pages
  •  
    November 2006
    M T W T F S S
    « Oct   Dec »
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • Archives
  • Categories
  • Meta

    • copyright 2008 reavis consulting group, llc

    all postings and articles are owned and the copyright is held by the author, all opinions expressed are held by same.

    Riskbloggers is proudly powered by WordPress
    Entries (RSS) and Comments (RSS).

    design by | live | life | loud |