[cap-talk] Port Knocking

[Jed Donnelley]

cap-talk,

I hadn't previously heard of this idea:

http://en.wikipedia.org/wiki/Port_knocking

I like it.  In the first blush of newness it seems to have some great 
properties.

Mainly that I can keep all ports closed to all hosts - seemingly protecting
against nearly any sort of attack against potentially buggy server software -
and then only open up specific ports to specific clients if they knock the
secret knock.  It would certainly seem to limit, for example, sshd dictionary
attacks.

Before I spend much time looking into more details I thought I'd ask around
some to see what others might have heard/think.  Naturally there are some
client side issues - how to get software on the client side installed and
convenient (invisible?) for users.  From the server side however, I agree with
the perhaps oversold Wikipedia article that providing a port knocking demon
on the server side seems to add a rather low cost additional layer of
security that can be rather strong from a protection in depth perspective.

When considered from a capability perspective one could imagine
a knock sequence being built into a capability - sort of like part of
a password or certificate in a data capability.

I just wondered if any of you had run into this approach and had any thoughts.

--Jed http://www.nersc.gov/~jed/