[cap-talk] User port control (was: Port Knocking)

Jed Donnelley capability at webstart.com
Fri Feb 9 19:34:16 CST 2007 

At 09:04 AM 2/9/2007, David Hopwood wrote:
>...I don't feel like encouraging this protocol since
>I think it would be a bad thing for it to be deployed widely. TCP connection
>establishment is unreliable enough as it is, and we don't need ideas that
>increase the complexity of network protocols without really increasing
>security.

I agree with the concern about the front end of port knocking - the knocking
aspect (using packet sequences to essentially open a local firewall).

However, the more general notion of POLA "firewall" control I believe
has a lot of merit.  I'm looking for papers, ideas, etc. in this area.
Perhaps AlanK could comment as a colleague suggested that
HP had done some work in this area?

E.g. imagine an organizational database that includes all the
organizations firewall rules.  The rules are default drop (POLA).
Only by making an explicit addition, e.g.:

IP 1.2.3.4 -> port 22 on local address 4.3.2.1

will any communication be allowed.  To begin with at least my
security problems just got a lot easier.  Just like the dream of
having all my systems disconnected from the network.

Of course we can't live completely disconnected.  The systems
are there to provide services.  How do we bootstrap just the
POLA port openings that are needed for legitimate services?

That's where I suggest control by authenticated users.

E.g. put up one Web server that is accessible from the
world (any IP address) but only through user authentication.
Then allow users to make requests through their authenticated
connection to the "Port Controller" to explicitly add opening
rules as above, IP 1.2.3.4 -> port 22 on local address 4.3.2.1

Since generally the user is connecting from some workstation
(could be from a laptop in a cyber cafe), the Port Controller
will know what IP address they are coming in from.  They can
just ask for a port to be opened to a server.  Then they use
the service.  E.g.  I click:

X  ssh my.server.com

and then I command:

$ssh my.server.com

and go on with my normal authentication and use.

Pick a service (e.g. DB listener, IMAP server, http, ldap, etc.), request
the port opening, and connect with your client.  Don't do the authenticated
port opening request and packets for a connection request drop on the
floor like the system/service isn't there.  Whew, no more dictionary
attacks on my ssh servers.  Much less concern about attacks
against my Oracle listeners.  Etc., etc.  We're talking POLA.

In my opinion the current relatively ad hoc policies for firewalls
(network and local) are a mess.  Even the whole notion of a
private LAN (where connections from the outside are rejected
but connections within the LAN are honored) creates the
"soft chewy inside" notion.  Namely if you can get connected
to the LAN (wireless, spoof a VLAN connection, robot a computer
with a VLAN connection, etc.) then all the services are open to
you.  This is POLA?

For services that should be available to any user from any
IP address our firewalls are currently wide open.  They need not be.

--Jed http://www.webstart.com/jed/

More information about the cap-talk mailing list